+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Ransomware and Encryption - I Was Wrong

Posted by Patrick Townsend on Jan 2, 2020 8:48:08 AM

I might as well start the New Year with an admission and an apology. Let’s clear the slate.

eBook: Definitive Guide to Encryption Key ManagementIn the past I’ve minimized the use of encryption as a specific way to deter Ransomware attacks. My thinking was that encryption would not really help you if your systems are compromised by Ransomeware. After all, my thinking was, the data is still on your servers it just isn’t accessible because it is now encrypted with a key that you don’t have. Of course, you can pay the ransom to unlock your data. There are lots of good reasons to encrypt sensitive data, but I was not seeing encryption as a specific way to specifically minimize the risks associated with Ransomware.

I believed that your best defense against ransomware was to have good backups and be prepared to restore systems quickly from those backups. A lot of our customers had become lax in their backup strategy, and this left them exposed to Ransomware attacks. They just weren’t able to quickly restore from backups, or those backups did not exist, or they were not current enough.

I failed to understand the evolving nature of Ransomware threats. It simply did not occur to me that a cybercriminal would BOTH lock your data AND steal the data and threaten to release it if the ransom payment was not made. That is exactly what is happening now. 

It is now clear to me that encrypting your sensitive data is an important part of your defense against Ransomware attacks. If the attacker cannot access the data, they can’t threaten its release to put pressure on you. So it is time to revisit your security strategy around Ransomware:

  • Backups are still important. They are a first line defense against Ransomware.
  • Your backup strategy is not complete until you fully test the restore process. You will always find glitches during the test of the restore operation. You don’t want to be finding these glitches during a Ransomware recovery process.
  • Encrypt all sensitive data to deny its use by attackers.
  • Use proper encryption key management as a part of your encryption strategy. Locally stored encryption keys (SQL Server, MongoDB, MySQL, and so forth) are easy to recover. If you are not protecting the encryption keys you don’t have an encryption strategy.

There is much more that you need to do to protect against Ransomware, but these items are crucial to your strategy. 

Encryption has many other benefits including helping you meet compliance regulations (California CPA, etc.), helping you minimize reputational damage, helping you protect digital assets and business secrets, and much more. It is time to review your encryption strategy and plug any holes.

If you are a small organization you don’t have to feel left out in the cold. Here at Townsend Security we help small organizations get encryption and key management right. You are NOT priced out of the market. If you are a small organization ask us about our SMB plan.

Patrick

eBook: Definitive Guide to Encryption Key Management

 

Topics: Encryption, Ransomware

vSAN Encryption: Locking Your vSAN Down (Part 2)

Posted by Ken Mafli on Dec 16, 2019 6:30:00 AM

What is vSAN Encryption?

As of VMware vSAN 6.6, you can now encrypt your vSAN datastore. vSAN encryption protects your stored data in case a device is removed or hacked. vSAN encryption only requires the vCenter Server, a third-party Key Management Server (KMS), and ESXi hosts to work. It is standards based and KMIP compatible.

 

(Part one of this series deals with VM encryption. This post will cover vSAN encryption)

How vSAN Encryption Works
 
 

The Rise of Storage Area Networks

Nowadays, VMware vSAN provides hyper-converged storage for the enterprise business. As VMware puts it, “in addition to being incredibly simple to deploy and provision, Virtual SAN allows you to scale storage and compute resources, eliminating costly forklift upgrades.”

But, as most know, vSAN, first released in 2014, did not grow in a vacuum. Physical SANs started to gain traction in the early 2000’s as our need for data storage exploded. The SANS Institute, in 2002, highlighted these trends and the advantages that a SAN provided:

  • Higher availability of systems and applications
  • Costly IT purchases reduced
  • Higher scalability of storage architecture
  • Increased IT staff efficiency
  • Higher ability to utilize the full value of a company’s information assets

Encryption and Key Management for VMware - Definitive GuideBut even though a SAN brought these advantages to its user, it had one major limitation: Storage administrators were still tied to managing the data via where it physically lived, needing to pre-allocate storage on various servers.

vSAN, however, overcomes the limitations of a purely physical SAN. Since vSAN is a software layer that sits on-top of the server, it allows for greater flexibility of your storage capacity. According to MicroAge:

“vSAN is software-defined storage that enables organizations to pool storage capabilities and automatically provision virtual machine storage. They can dynamically scale performance and storage capacity as needed and render underlying physical storage accessible to virtual machines through a policy-driven control pane. [O]rganizations use SANs to interconnect shared pools of storage devices to different servers. vSAN extends this local storage to a shareable storage in each server, enabling other servers to access data over the LAN without a traditional shared storage device.”

Another advantage of vSAN: greater (and much easier to implement) data security. With version 6.6 of vSAN, VMware introduced native encryption for your data-at-rest. vSAN encryption is baked right into vSAN and, as Jase McCarty of VMware puts it, “with a couple of clicks, it can be enabled or disabled for all items on the vSAN datastore, with no additional steps.”

This gives the enterprise business much greater control in how and when they secure their data. That said, let’s take a look at some additional advantages of using vSAN encryption.

 

Expert Weigh-in:
When it comes to database development and administration, there is often an emphasis on securing the data inside the database. Unfortunately, that’s not only one place that data resides. We all know that data exists outside the database engine. It’s important to take steps to protect your data no matter where it may lie. vSAN encryption allows for you take that extra step to protect your data-at-rest sitting in JSON, XML, or CSV files.
~Thomas LaRock, Head Geek, SolarWinds

 

The Advantages of vSAN Encryption

Advantages of vSAN Encryption

 

Minimizes Impact on Performance

With encryption there will always be a performance impact. It is just the nature of the beast. But with vSAN encryption, VMware reports:

  • Minimal impact to CPU cycles while data is being encrypted.
  • A 5-15% CPU penalty and no performance overhead. This overhead is representative of running vSAN with dedupe and compression turned on.

This is great news for those needing to encrypt large amounts of stored data. You can now protect your data and, in large part, maintain the integrity of your performance.

Streamlines Operations

As mentioned earlier, vSAN encryption is easy to configure and entire clusters can be encrypted with just a few clicks. There is zero guess-work with:

  • No third-party encryption to install, configure, and maintain.
  • No encryption at the hardware layer. Encryption at the hypervisor layer (vSAN encryption) has considerably less overhead than deploying encryption at the hardware layer.

Bring Your Own Key Manager

You can bring your preferred key manager to manage your encryption keys. Since vSAN encryption is KMIP 1.1 compatible, you are free to use a FIPS 140-2 compliant encryption key manager, like our Alliance Key Manager.

How Do I Enable vSAN Encryption?

 

The last and biggest advantage: vSAN encryption is easy to enable and use. This means that securing your sensitive data with AES encryption is not a time-intensive task. To prove the point, here is a quick guide to getting encryption up and running for your vSAN clusters:

  • First, install and configure your key management server, or KMS, (such as our Alliance Key Manager) and add its network address and port information to the vCenter KMS Cluster.
  • Then, you will need to set up a domain of trust between vCenter Server, your KMS, and your vSAN host.
    • You will do this by exchanging administrative certificates between your KMS and vCenter Server to establish trust.
    • Then, vCenter Server will pass the KMS connection data to the vSAN host.
    • From there, the vSAN host will only request keys from that trusted KMS.
  • The ESXi host generates internal keys to encrypt each disk, generating a new key for each disk. These are known as the data encryption keys, or DEKs.
  • The vCenter Server then requests a key from the KMS. This key is used by the ESXi host as the key encryption key, or KEK.
  • The ESXi host then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk.
  • The KEK is safely stored separately from the data and DEK in the KMS.
  • Additionally, the KMS also creates a host encryption key, or HEK, for encrypting core dumps. The HEK is managed within the KMS to ensure you can secure the core dump and manage who can access the data.

That’s it! VMware has made encrypting your data in vSAN both simple and secure.

 

Expert Weigh-in:
In traditional SAN infrastructures, layering key-based security and integrating with key managers has always been wrought with expense and complexity. It usually meant leveraging very few but very difficult to manage key management appliances which required very specialized skills. But with vSAN along with Alliance Key Manager, a lot of that complexity is removed—letting you focus on protecting your data instead of managing it.
~Christopher Kusek, vExpert and Tech Evangelist

 

Final Thoughts

Encrypt Everything in vSAN

 

Let’s face it, storage area networks are a target-rich environment for malicious actors. Whether it’s:

  • Customer data
  • Intellectual property
  • Financial transactions
  • Legal records
  • Patient information
  • And much, much more….

It all needs to be protected. Network administrators, though, face these challenges:

  • They have little control over what gets put into storage.
  • Sensitive data, many times, is stored by end users with little thought to encrypting it.
  • There is a dizzying array of compliance regulations, internal security standards, and best practices that must be complied with.

vSAN encryption can help. With a few clicks in vSAN entire virtual disks can be encrypted. And with a FIPS 140-2 compliant encryption key manager, like Alliance Key Manager, the keys for your AES-NI encryption will be properly protected and full lifecycle managed.

If you are not protecting your data in vSAN, get started today! It’s not a matter of if your data will be hacked, but when.

 

New call-to-action

 

Topics: Encryption, Key Management, VMware, vSAN

Saving Money with VMware vSAN Encryption

Posted by Patrick Townsend on Oct 16, 2019 7:30:02 AM

You may be using VMware’s vSAN technology and not even know it. vSAN is the core technology in most of the Hyper-Converged Infrastructure (HCI) solutions on the market today. If you are running VMware for your on-premise or cloud infrastructure, you have vSAN at your fingertips. So, how can you leverage vSAN to meet compliance regulations and save money? Let’s take a deeper dive.

First, why is it important to encrypt our data?

Encryption and Key Management for VMware - Definitive GuideAlmost all compliance regulations require that you protect the sensitive information of your customers, employees, and service providers. This includes the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the EU General Data Protection Regulation (GDPR), the New York Department of Financial Services act (23 NYCRR 500), the Gramm Leach Bliley Act (GLBA), and many, many others. As we now know a major data breach that loses unprotected sensitive data will have severe impacts on any organization whether public or private. Encryption is now a core requirement of any security strategy, so how do we get there?

Can’t I use the native encryption facility in my database?

Almost all commercial and open source databases provide a path to using encryption that is built right into the database. Unfortunately, getting access to the encryption feature usually means upgrading to the Enterprise version of the database—and this can be an expensive proposition. This is true of Microsoft SQL Server, Oracle Database, MySQL, and many others. Of course, an upgrade to the Enterprise version usually gets you a lot more capability than encryption. An upgrade brings a lot of additional value, but the reality is that a database upgrade is beyond the budget of many small to midsize companies. So what can you do?

How can vSAN encryption help?

VMware-vSAN-Encryption

Beginning with version 6.6, VMware vSAN provides for built-in encryption support and a link to vSphere for proper encryption key management. By default, vSAN virtual disks are not encrypted. However, it is really easy to configure a vSphere KMS Cluster, deploy a key management server (KMS), and turn on vSAN encryption. You don’t need to reload your vSAN virtual disks and it is fast to deploy. With very little time and effort you can achieve encryption at rest for your database and other files.

To enable VMware vSAN encryption you only need a key management system that supports the OASIS standard Key Management Interoperability Protocol (KMIP). Our Alliance Key Manager fits the bill perfectly, and there are other solutions. You just deploy the key manager, grab the key manager certificate and private key, install them on your vCenter cluster, configure a KMS Cluster in vSphere, and enable encryption. Voila, you are done in a short period of time.

Do you know what else is cool? You can use the same KMS Cluster configuration to encrypt your VMs and to enable VMware vTPM in your virtual machines. That’s a lot of capability with very little time, effort and expense.

Is it risky to run my database in a vSAN volume?

The VMware vSAN facility is mature and now trusted by large and small Enterprises. As mentioned above, vSAN is a core component of almost all of the major Hyper-Converged Infrastructure (HCI) solutions. You may be using vSAN and not even be aware of it. There is also some good news—VMware has published a number of solution briefs and architecture guides to help you deploy Oracle Database, Microsoft SQL Server, and other databases directly on vSAN. Of course, you need to be aware of high availability requirements for both vSAN and for your KMS, but the existing vSAN documentation is quite good on this front. And deploying a high availability instance of our Alliance Key Manager solution is easy, too. More information here.

Today, you can confidently deploy your relational and NoSQL databases onto encrypted vSAN virtual disks safely and easily.

Saving money with vSAN encryption

We all live with constraints on our IT budget and our management team wants to see a good return on our IT investments. If you find that you don’t have the budget needed to upgrade your database for native encryption, deploying vSAN encryption is a great alternative. vSAN is a VMware facility that you already have and adding a key management solution is now very affordable. You can deploy our affordable Alliance Key Manager solution and avoid future upgrade and build-out costs. vSAN encryption and good key management is within the reach of every IT budget.

Ouch, I have vSAN but I don’t have a place to run a KMS

VMware vSAN is popular in many cloud and edge computing environments, but you might not be deploying VMs in that environment. Our key manager runs as a VMware virtual machine, so this can be a bit problematic in these environments. But there is an elegant solution to this—run the key manager in the cloud. For example, you can launch our Alliance Key Manager as an EC2 instance in AWS, or as a virtual machine in Azure, and use it to protect your vSAN volumes in edge environments. Alliance Key Manager works the same way in the cloud as it does as a VMware VM. And you can use one key management instance to serve multiple vSAN edge deployments. Problem solved!

Some precautions

There are some common sense precautions related to vSAN encryption. One is to be sure that you don’t deploy your KMS virtual machine onto a vSAN volume that it is protecting. If you have issues with the vSAN volume you don’t want it to impact the KMS, and vice versa. Also, as in all production environments where you deploy encryption and key management, be sure to deploy a failover key management server. It is easy to do with Alliance Key Manager and it will help you recover quickly and easily.

Alliance Key Manager for vSAN

Alliance Key Manager is certified by VMware for use with vSAN and vSphere encryption. All versions of vSAN and vSphere that support encryption are certified. In addition to VMware certification, Alliance Key Manager is validated to meet the PCI Data Security Standard (PCI-DSS), is KMIP compliant, and is FIPS 140-2 compliant. You can run Alliance Key Manager as a VMware virtual machine, as a cloud instance (Azure and AWS), in a Docker container, or as a hardware security module (HSM). No charge evaluations are available directly from the Townsend Security website, and we welcome partner inquiries. More information here.

New call-to-action

Topics: Encryption, VMware, vSAN

Encryption and Key Management - The SIX Mistakes that Startups and ISVs Make and How To Avoid Them

Posted by Patrick Townsend on Apr 18, 2019 1:27:59 PM

In our practice here at Townsend Security we engage with a lot of startups and mature ISVs who are trying to grow their business and customer base, leverage their technologies into new opportunities, and grow or migrate to the cloud. We know how difficult it is to start and grow a company, and what a wide set of business challenges have to be overcome. Our hats are off to every entrepreneur who has created a successful company, and every ISV who has kept it going!

Designing Applications with Encryption and Key ManagementI want to share a few thoughts on some pitfalls that can damage your ability to grow your company with a focus on the encryption of sensitive data. Too many promising companies flounder because of poor security implementations, and failing to get encryption right can lead to lost opportunities - maybe even the loss of that breakout sale you need to land a global company. Some early thought and planning about data security can help you weather your migration up the food chain and avoid such losses.

Number 1: Failure to encrypt sensitive data

The single biggest failure of data security is not doing it at all. Even in this age of massive public data breaches, and the damage that they do to companies of all sizes, most startups and ISVs are not implementing encryption of sensitive data. When product managers and developers work on their next big idea, they focus on exciting features in their product and often ignore the work it takes to implement encryption. They instead rely on access control lists and other mechanisms to protect data. These are, of course, important things to do. But the failure to encrypt sensitive data leaves a big hole in your security strategy.

What can go wrong if you haven’t implemented encryption? LOTS !!!

  • The publicity around a data breach can tarnish your reputation and kill opportunities.
  • The lack of encryption may cause compliance regulation failures making it impossible to enter new markets.
  • You may not be able to pass a security review of your software by that large global Enterprise.
  • You may not be able to enter government channels where encryption is a mandate.
  • If your customer experiences a data breach you may encounter substantial litigation costs that damage your financial resources and delay critical development.
  • You may fail to secure that next round of funding when an investor discovers the security gaps in your product.

When these kinds of events damage your ability to grow your company, it can be hard to mitigate them in a timely fashion. And you often won’t know about these dangers until you get fairly far down the road with your business plan.

Number 2: Failure to get key management right

For startups and ISVs who DO understand the need for encryption of sensitive data, the next biggest pitfall is the failure to protect encryption keys properly. Almost every database that supports encryption also supports the ability to protect the database encryption keys with a key manager. But that doesn’t mean that good key management is the default! In most cases the default database key management option is to store the encryption keys on the same server as the sensitive data. Sometimes the database will even store the encryption key locally and in the clear! So getting encryption key management right is critical to your security strategy. It won’t help to have encryption of your data enabled, and then have a cybercriminal steal your data along with the encryption key.

Related to key management here are some things to look for when you consider databases for your application:

  • Does your database have built-in encryption? Relying on third-party encryption solutions at the file/folder level will certainly cause deployment and scalability problems.
  • Does your database support integration with third-party key managers? If there is no easy way to integrate proper key management into the database, this will also cause deployment and technology delays.
  • Does your database support open standards for key management? For example, the Key Management Interoperability Protocol (KMIP) defines how applications like databases can easily integrate a key manager.
  • Does your database support key management failover? Remember that protecting encryption keys with a key manager also brings along the question of high availability and failover.

HINT:

If you are a startup be sure to choose a database that supports built-in encryption and proper key management. You have lots of good choices in both commercial and open source solutions. So go with a database with native, built-in encryption and key management!

Number 3: Failure to get FIPS 140-2 right

There are important standards and certifications for key management solutions. The most important of these is the National Institute of Standards and Technology’s (NIST) FIPS 140-2 standard. In addition to being a published standard, there is also a validation process for key management systems. The standard, and the validation to that standard, are critically important to your data security strategy. All professional key management solutions have been validated to the FIPS 140-2 standard and you should be sure to deploy a validated key management solution. This will help you avoid failing a security audit by that important new customer!

In addition to ensuring that your key manager is validated to FIPS 140-2, be sure that the entire key management solution is validated. There are many cases where the encryption library alone is validated to FIPS 140-2, but the key management application is not. It is good to have validated encryption, but that is just the start! Encryption key management has its own validation points and you will need both.

Snake Oil Alert !!!

Unfortunately, there are some key management solutions that make unwarranted claims about FIPS 140-2 compliance and validation. Here are a few warning signs to look for when you evaluate a key management solution:

  • A vendor makes compliance claims, but there is no validation. Some vendors claim to be “FIPS 140-2 compliant” but in fact have never completed a FIPS 140-2 validation. Security is hard, and unsubstantiated claims should be a red flag.
  • A vendor claims FIPS 140-2 compliance, but the validation is “in process”, but not complete. A security product can be “in process” for many months or even years. A claim of FIPS 140-2 compliance without actual completion should also be a red flag.
  • A vendor makes some claims of FIPS 140-2 validation, but research shows that the key management solution was not validated by that vendor.
  • A vendor makes a claim of FIPS 140-2 compliance, but the solution is only compliant when backed by a third party validated key management solution. In this case the vendor solution itself is not validated, but relies on the validation of another solution. You may be fooled into thinking that the solution itself is compliant when it is not. Especially watch for this pitfall with open source solutions.

You can always check a vendor’s claims of FIPS 140-2 compliance. Ask for the NIST FIPS 140-2 certificate number, and then Google it. NIST makes the validation certificate available to the public on their website. Copy and paste this into Google search:

NIST FIPS 140-2 certificate number 1449

That was easy!

Number 4:  Failure to make encryption and key management easy and invisible

Now that you are on the road to getting encryption and key management right, it is important to also make it easy and invisible. Your customers have a lot on their agendas, and becoming a key management expert is probably not one of them. So even if you follow the above advice and implement encryption and key management, do your customers a favor and make key management easy. The best way to do this is to bundle a key management solution into your product, and make key management automatic. You can still enable the configuration of an external key management system (some customers will want this), but you can really make it easy for most of your customers if you automate the key management tasks.

Automating key management is a great competitive advantage! One of our partners in the archival and backup space implemented this strategy and make great competitive wins on this feature alone! Their message was simple:

“We have encryption and key management. It is FIPS 140-2 validated. It is completely automatic so you don’t have to spend time fiddling around with a complex key management system.”

This strategy won them a lot of competitive deals and it was easy to talk about - and it shortened the sales cycle.  Of course, be sure that your key management solution supports this type of integration and automation!

Number 5:  Failure to segment customer data

As you move to the cloud and create shared, multi-tenant SaaS solutions, be sure to plan for and architect data segmentation into your solution. You will encounter large customers who will not want to have their data in the same space as other customers. They will want the additional security of segmenting their data into a virtual private cloud. With planning, your technical team can meet this kind of requirement, and help you close that very large deal.

Of course, a data segmentation plan requires a key management segmentation plan. For the same reasons customers want to segment their data, they don’t want to share key management with other customers. And they want to maintain full control of the key management implementation. So be sure to plan for customer-specific deployments of encryption key management and failover key management servers. A properly implemented data and key management segmentation plan will even allow for on-premise deployments that are “cloud ready.”

Number 6:  Failure to develop new market opportunities

Think about Amazon (the company) for a moment. At one point in their history they were an online bookstore. Today the company is very different. Amazon first leveraged its technologies to sell all kinds of products, and then created Amazon Web Services (AWS) to enable all of us to benefit from cloud technologies.

Are you thinking like Amazon? If not, you might be missing some big opportunities. Now that you have secure applications, are there lateral opportunities or technology licensing opportunities available to you? When you approach new opportunities and partners, don’t be afraid to talk about security. Regardless of what you’ve heard:

SECURITY SELLS!

Developing Applications with Encryption & Key Management

Topics: Encryption, Encryption Key Management, ISV, Partner

RSA vs AES Encryption - A Primer

Posted by Patrick Townsend on Mar 25, 2019 8:10:41 AM

If you are new to encryption you might be asking yourself, "what is the difference between RSA encryption and AES encryption, and when should you use them?" It’s a great newbie question, so let’s go exploring.

eBook: Definitive Guide to Encryption Key ManagementAES stands for Advanced Encryption Standard and is in wide use around the world. It falls into a class of encryption methods called “symmetric” encryption. That is, the same secret (an encryption key) is used to encrypt the data, and also used to decrypt the data. AES encryption is probably the most widely used encryption method for protecting data at rest. You will find it used in self-encrypting disk drives, database encryption, storage encryption, and so forth. It’s been around since about 2002, and it is an international standard. Roughly speaking, when you encrypt with AES you put data and the secret encryption key into software that implements AES encryption, and out comes the encrypted data. When you want to use that data you put the encrypted data and the same encryption key into the software, and out comes the original data that you can use.

There are other symmetric key encryption algorithms, and we’ll discuss that a bit below.

RSA encryption is named after the three inventors of the encryption method: Ron Rivest, Adi Shamir, and Leonard Adleman. RSA falls into a class of encryption methods called “asymmetric” encryption. The name asymmetric follows from the fact that there are two related secrets, or keys, used for encryption. One is called a public key, and the other is called a private key. The keys are related in the sense that if you encrypt with the public key, you can only decrypt with the related private key. And the reverse is true, too - If you encrypt with the private key, you can only decrypt with the associated public key. The math is pretty amazing and involves very large prime numbers and factorization. RSA keys are usually used when you have two physically separate endpoints. RSA encryption is often used in web browsers to connect to your favorite websites, in VPN connections, and in many other applications. We use asymmetric encryption every day.

There are other asymmetric encryption algorithms, and we’ll mention a few later.

So, when do we use AES encryption?

AES encryption is great when we have a constrained environment. For example, if we encrypt data in a database, we will decrypt data when we need to access the database. Another example is hard drive encryption - we encrypt the data written to the disk, and decrypt it when we read from the disk. Encryption and decryption will take place on the same platform and in the same context. AES encryption is great for this particular use case. That is why it is commonly used for protecting data at rest.

When do we use RSA encryption?

RSA encryption is really great when we have two physically or geographically different end-points. If I am encrypting data in San Francisco, and you are decrypting it in Dubai, I am likely to use RSA encryption because it is ideal for two separate end-points. I can encrypt data with an RSA public key at the originating end-point, send it over an unsecure web connection, and decrypt it with the RSA private key at the destination end-point, and not worry about who might intercept it in the middle. The unique public / private key aspects of asymmetric encryption helps us be secure when we are separated by many miles of insecurity and hostile internet territory.

Performance and how this affects the use of RSA encryption

RSA encryption is great for protecting the transfer of data across geographic boundaries. But we have a bit of a problem with RSA encryption - it is really poor from a performance perspective. I might want to send you my sensitive file, but encrypting that with RSA is going to be difficult due to the low performance of RSA encryption. No problem! You can combine RSA encryption with AES symmetric encryption to achieve the security of RSA with the performance of AES. This is normally done by generating a temporary, or session, AES key and protecting it with RSA encryption.

Other symmetric algorithms

AES is not the only symmetric encryption method. The older, and still standard, Triple DES (Data Encryption Standard) method is still in wide use. Triple DES is an accepted standard even though it is older than AES. However, for any new applications you should avoid the use of TDES (also called TDEA) encryption and it is likely to be deprecated as a standard soon.  Other encryption algorithms exist, such as Two Fish, Blow Fish, Ghost, and others. While they may be good encryption algorithms, they have not achieved the status of accepted standards, and so you should avoid them.

Other asymmetric algorithms

RSA is the granddaddy of asymmetric algorithms. But is is not the only accepted standard for asymmetric encryption. Elliptic Curve Cryptography (ECC) is also in wide use (usually combined with a symmetric algorithm) and is an accepted standard for asymmetric encryption. It performs better than RSA, but still lags AES in terms of performance. You should feel comfortable using ECC for asymmetric encryption needs.

AES encryption and modes of encryption

While AES encryption is the most commonly adopted encryption method, you should be aware that there are multiple modes of operation that can be used with AES. These are also specified in the standards. The raw AES mode of operation is called Electronic Code Book, or ECB. Because raw AES in ECB mode can leak pattern information when encrypting large amounts of data, it is common to use a mode of encryption that incorporates an initialization vector. The Cipher Block Chaining (CBC) mode of AES encryption is very common, as is Counter (CTR) mode. For storage devices it is common to find the XTS mode of encryption used. If data corruption is of concern, you might find the Galois Counter Mode (GCM) in use.

The evolving world of encryption

The world of encryption is always evolving. Cryptographers are working on new algorithms and improvements to existing algorithms to meet the challenges of high performance computing and quantum computing. It is an exciting time for cryptography and encryption key management. For now, you should always stick to published standards like AES, RSA and others mentioned here. Doing so brings the benefits of a consensus among a world-wide group of cryptographers, and keeps you in alignment with many compliance regulations.

Please let me know if you have any questions.

Patrick

eBook: Definitive Guide to Encryption Key Management

Topics: Encryption

VMware Encryption: Protecting Data in vSphere & vSAN

Posted by Luke Probasco on Sep 28, 2018 2:35:36 PM

VMware allows customers to use native vSphere and vSAN encryption to protect VMware images and digital assets.  But as we know, to truly protect private data, encryption keys must also be properly stored and managed. I recently sat down with Patrick Townsend, Founder and CEO of Townsend Security, to talk about vSphere and vSAN encryption, deploying multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability, as well as meeting compliance regulations and security best practices for your organization.  Additionally, we talked about Alliance Key Manager for VMware and how it is helping businesses protect their sensitive data.

Podcast: Protecting Data with vSphere & vSAN Encryption

VMware virtualization has been a game-changing technology for IT, providing efficiencies and capabilities that have previously been impossible for organizations constrained within a traditional IT data center world.

It is really great to see VMware, as a company, stepping up to embrace encryption for vSphere and vSAN.  Introduced in vSphere 6.5 and vSAN version 6.6, encryption allows users to protect data at rest. Additionally, there is a really great key management interface, which provides an excellent path to store and manage keys.  While these versions have been out for a while, many customers are just now getting around to upgrading and can take advantage of VMware's native encryption. With VMware, organizations are able to reduce hardware costs, lower operational cost, and provides a clear a path to move to the cloud. With the addition of encryption, you can deploy secure environments where there is less risk of data loss in the event of a breach.

Let’s dive in a little more and talk about vSphere and vSAN encryption.  Can you walk me through how an organization might deploy encryption and key management?

Sure. I think in a typical VMware environment, organizations are already doing some encryption in their applications.  For example, they may be running Microsoft SQL Server in a VM and using Transparent Data Encryption (TDE) to protect the data.  With the new facilities, you now get the ability to encrypt right in the VMware infrastructure itself. There is one thing that I think VMware did really well, and they have proven this over and over again, is that they have laid out a certification process for key management vendors, which gives VMware customers confidence that they are purchasing and deploying a solution that has been vetted by VMware themselves.  Our Alliance Key Manager, for example, has been certified for:

In terms of deploying key management, it is easy. We recommend using both a production key server and a failover key server. vSphere supports KMS cluster configurations which allow you to have a resilient encryption and key management architecture.  Aside from just being a security best practice, we are seeing our customers deploy two servers because they never want to lose access to their encrypted data. The servers synchronize in real-time and have automatic failover capabilities.

VMware-Encryption-Flowchart

You can’t talk about key management without talking about compliance.  Whether it is PCI DSS, GDPR, or state and federal privacy laws, who doesn’t fall under compliance these days?

Yes, good question.  That is probably a very short list these days.  When you look at all the existing compliance regulations around the world, including the new GDPR, you realize that everyone falls under some compliance regulation, and most of us fall under multiple regulations.  Enterprises, big and small, public and private, fall under the same compliance regulations. Additionally, I have heard more from privately held companies that they think they are exempt - which is not true.

So you are correct.  Compliance regulations are driving a lot of uptake in encryption and I would say that lately GDPR is driving the most interest.  If you look at Article 32 and related recitals, the requirement to protect a data subjects information, there is a clear call for encryption. GDPR has put a new focus on the need to protect private data, as well as to take a broad view at what should be considered sensitive data.  It is not just a credit card number or social security number. Information like a phone number or email address can be considered sensitive data.

How is your Alliance Key Manager helping VMware users protect their private data?

Well, we have been helping VMware customers for a number of years  who are encrypting at the application level. Our Alliance Key Manager for VMware runs as a virtual software appliance and is binarily the same as our hardware security module (HSM). What is new, is that VMware opened the vSphere and vSAN and products to support encryption key management. Now VMware users can leverage the same key management solution for both application and VMware infrastructure encryption.

People often ask us, “How is your key manager different than your competitors”?  One thing that makes us stand out is that we are very diligent about meeting compliance requirements (PCI DSS, GDPR, HIPAA, etc.) and industry standards (FIPS 140-2, KMIP, etc.). Years ago, when we partnered with VMware, one of the first things we did was work with VMware and a QSA auditor to achieve a PCI compliance statement.  Customers can now be assured that when they deploy our Alliance Key Manager in VMware that they are meeting PCI compliance.

What else do VMware customers need to know about Alliance Key Manager for VMware?

Alliance Key Manager is a mature product that has been on the market for more than 10 years. It uses the same software that runs inside our Hardware Security Module (HSM), so customers can be confident that they are running exactly the same key management software that is FIPS 140-2 compliant and in use by over 3,000 customers worldwide.  Additionally, the security posture that the key manager allows, as well as the reference architecture that VMware provides, really gives VMware customers a road map to doing a secure installation.

The other thing that I think a lot of people might not realize is, that when they deploy Alliance Key Manager, they have our entire library of client side applications, SDKs, and sample code available to them.  For example, we have a Microsoft SQL Server TDE encryption component, support for MongoDB via KMIP, and sample SDKs for languages like Java, PHP, Python, etc. All of that comes along with the key manager and makes it easy to address security requirements.

Finally, I’d like to mention our partnership with VMware.  We are diligent about maintaining our certifications with Alliance Key Manager.  Doing this brings a level of confidence to the product for our customers. Prior to starting an encryption project they may be a little leery of key management because they have heard that it may be complicated.  That was true in the past. In fact, today it is actually extremely simple to deploy. Another barrier that we have knocked down is the scalability issue. Our solution works across multiple platforms - AWS, Azure, VMware or as an HSM.  They all talk to each other, and if one goes down, another will automatically fail over. That gives VMware customers the ability to be extremely flexible about how they deploy key management. It is not uncommon that our customers will deploy an application in the cloud, deploy a key manager in AWS, and then mirror those keys back to their on-premise VMware infrastructure. All of this is really straightforward and simple to deploy.

To hear this conversation in its entirety, download our podcast Protecting Data with vSphere & vSAN Encryption and hear Patrick Townsend further discuss protecting data in vSphere and vSAN with encryption and key management.

Evaluation: Alliance Key Manager for VMware

Topics: Encryption, VMware, vSphere, vSAN

IBM i FieldPROC Encryption, IBM Query, and Encrypted Indexes

Posted by Patrick Townsend on Jan 29, 2018 8:31:08 AM

The IBM i DB2 database team implemented column level encryption through Field Procedures (FieldProc) in release 7.1 of the IBM i operating system. It was a great step forward for those IBM i customers who need to encrypt sensitive data to meet compliance regulations and to improve overall security. With release 7.1 it was now possible to implement DB2 encryption without modifying user applications.

IBM i Encryption with FieldProcPrior to this enhancement to DB2 in release 7.1, implementing encryption could be a laborious process of modifying applications and performing extensive regression testing. This approach did not work well with some types of fields (date, time, etc.) and many IBM and third-party query utilities just did not work correctly. So the DB2 enhancement for Field Procedures was a great step forward.

While FieldProc worked well with native SQL applications in release 7.1, there were limitations for older RPG and COBOL applications, and many IBM query utilities did not work correctly with encrypted indexes. Many IBM i customers use IBM and third-party query programs for rapid development of reports and displays of data. Some customers that I’ve talked to have thousands of queries in their application mix, so limitations of IBM query with FieldProc represented an insurmountable challenge for many. When FieldProc was used to encrypt an index or key field, queries just would not work correctly and data was missing or out of order in reports and displays.

But there is some good news!

Starting with the 7.2 release of the IBM i operating system, many of the IBM query applications were updated to work with the native DB2 SQL Query Engine (SQE) by default. The SQL Query Engine has never had a problem with encrypted indexes. This means that the IBM query applications now work seamlessly with data that is encrypted with FieldProc in DB2. You can fully deploy column level encryption across multiple index columns with FieldProc, and your queries will work fine.

Many IBM i customers experimented with FieldProc in the first release in version 7.1 of the operating system and decided to take a pass. If you had that experience it is time to take another look at DB2 FieldProc encryption. The current version of the IBM i operating system is 7.3 and most IBM i customers have upgraded to this release. You now have good support for IBM queries, the SQL Query Engine, and DB2 FieldProc encryption.

While some challenges remain for older OPM and ILE RPG applications, we’ve been able to help a number of customers meet these challenges.

Encryption of data is a core part of a defense-in-depth strategy. We have to do a lot of things to protect our IBM i data, and one of those things is to encrypt the data at rest with industry standard encryption algorithms. DB2 Field Procedures provides the path to achieving this.

To read more about IBM i support for SQL Query Engine in query applications such as RUNQRY, OPNQRYF, and others, see this link.

Our Alliance AES/400 Encryption solution provides full support for DB2 Field Procedures, is easy to deploy, and affordable for every IBM i customer. 

For industry standard encryption key management you can deploy our Alliance Key Manager solution which is seamlessly integrated with DB2 Field Procedure encryption.

Patrick

IBM i Encryption with FieldProc

Topics: Encryption, IBM i, FIELDPROC

Why Encryption is Critical to FinTech

Posted by Luke Probasco on Jul 5, 2017 8:27:26 AM

FinTech is transforming the financial services industry. Everyone from banks and credit unions to insurance companies deal with huge amounts of private data on a daily basis - and the best way to secure it is with encryption. Not only are companies deploying encryption to meet compliance (PCI DSS, etc.), but also as a security best practice.

Why Encryption is Critical to FintechI recently sat down with Patrick Townsend, Founder and CEO, and discussed why encryption is critical to FinTech, meeting the various compliance requirements, as well as how Townsend Security is helping FinTech customers better secure their private data.

The financial world is rapidly changing. Innovations in technology are impacting payments, lending, insurance, and even compliance. Unfortunately, security often does not get as much attention as it should. Do you have any stories that you can share with our listeners about when security really wasn't thought all the way through?

Not only is security a consideration for new solutions coming to market, but it can also be a problem for businesses using legacy technology that was deployed many years ago. Encryption and data protection just were not on the top of anyone’s mind when the applications were built. I recently talked with a large global bank who is running a software package from a well known financial services software vendor and it DOES NOT implement security in the way that we think of it today. Encryption libraries didn’t even exist on some of these platforms when solutions were created, so we are left with applications without encryption, let alone proper key management. This is a ubiquitous problem across the financial services industry as a whole and has become a very big challenge.

Sometimes I wonder how secure our personal data would be if it weren’t for compliance regulations like PCI and GLBA. What are your thoughts on the impact of compliance and data security?

I think compliance follows threats and losses. When individuals suffer from cybercrime, they complain to their legislators and lawyers, and out of that come compliance regulations. For example, we are seeing new compliance regulations like those from the New York State Department Financial Services (NYDFS) requiring organizations to establish and maintain a “risk-based, holistic, and robust security program” that is designed to protect consumers’ private data.” Other compliance regulations like PCI DSS, GLBA, and not just regulations specific to the finance industry, have been created to protect individuals who may be cybercrime targets.

Financials organizations are responding to compliance regulations by further protecting data that they collect. They do it because they have to (to meet compliance requirements), but also because it is important to their brand and the trust that they have established with their customers. Today, no acquirer of FinTech would find it acceptable to have sensitive data not protected to industry standard encryption and security best practices.

The technologies around data protection are pretty straightforward. Encryption and key management are the fundamental compliance related controls required to protect non-public information (NPI) and personally identifiable information (PII) in financial services environments. Encryption can be deployed at the application or database level and allow organizations to provably meet compliance requirements for protecting data – both on premises and in the cloud.

What advice do you have when it comes to selecting and evaluating a FinTech vendor?

Security and compliance have to be top of mind. Businesses need to make sure that their FinTech is secure and that if it handles sensitive data, that it is protected with encryption and key management. Security needs to become an internal governance issue to be sure that solutions that are acquired and deployed or upgraded truly and provably meet compliance and industry standards.

Townsend Security is helping these organizations with Alliance Key Manager, our centralized encryption key management solution. We believe in compliance and standards and our key manager is FIPS 140-2 compliant, in use by over 3,000 customers worldwide, and is available as a hardware security module (HSM) or as a software appliance in VMware or the Cloud (AWS and Azure). Additionally, Alliance Key Manager has been validated to meet PCI DSS in VMware, giving businesses in the financial services industry a “compliance out of the box” solution.

To hear this interview in it’s entirety, download our podcast “Why Encryption is Critical to FinTech” and hear Patrick Townsend, founder and CEO of Townsend Security, further discuss encryption, key management, and meeting compliance requirements specific to financial services.

Why En

Topics: Encryption, FinTech

Trying to Outfox the Other - A Brief Look at Cryptography and Cryptanalysis

Posted by Ken Mafli on Mar 31, 2017 10:35:55 AM

 A few months ago I wrote a definitive guide to Cryptographic Key Management. In it I wrote a section: A Brief History - the Need for Encryption Key Management. I wanted to expand upon the Classical Era of cryptography a bit because the story of data security goes back for millennia, and the twists and turns of this story can be felt even today.

Introduction

eBook: Definitive Guide to Encryption Key ManagementThere has been a competition playing out through the centuries all the way from the highest corridors of power down to the shadiest back alleys. It is a struggle of those with a secret and those who want to uncover it. It is the story of cryptography and cryptanalysis.

As with every competition, each side is constantly trying to outfox the other. Peter Baofu described the competition this way, it is “the never ending cycle of replacing old broken designs” of cryptography and “new cryptanalytic techniques invented to crack the improved schemes.” In fact, “in order to create secure cryptography, you have to design against [all] possible cryptanalysis.” This means that both sides are in a never-ending arms race.

In his book, “The Future of Post-Human Mass Media,” Peter Baofu describes two main types of cryptanalysis: Classical and Modern Cryptanalysis. Let’s take a look at the Classical Period to see how this cat and mouse game has played out through the centuries:

The Classical Cat-and-Mouse Game

Classical Cryptography

One of the earliest forms of “secret writing” is the Substitution Cipher where each letter of the message is systematically replaced by another set of predetermined letters. In it’s most famous form, the Caesar Cipher, used by Julius Caesar himself (1st century, B.C.E):

“each letter in the plaintext is 'shifted' a certain number of places down the alphabet. For example, with a shift of 1, A would be replaced by B, B would become C, and so on.”

Another technique was Steganography, which literally means: “covered writing,” is the art of concealing a message in plain sight. Mehdi Khosrowpour recounts one of the first recorded instances (in the 5th century, B.C.E):

“Demaratus, a Greek who lived in Persia, smuggled a secret message to Sparta under the cover of wax.” It “ was to warn Sparta that Xerxes, the King of Persia, was planning an invasion ... by using his great naval fleet. He knew it would be very difficult to send the message to Sparta without it being intercepted. Hence, he came up with the idea of using a wax tablet to hide the secret message. In order to hide the secret message, he removed all the wax from the tablet, leaving only the wood underneath. He then wrote the secret message into the wood and recovered the tablet with the wax.”

Classical Cryptanalytic Response

While steganography is only hard to crack if you don’t uncover the message; substitution ciphers were meant to remain a secret even if the message fell into enemy hands. It remained a fairly reliable means of securing messages, so long as the cipher was not revealed.

All that changed with the first recorded technique of cryptanalysis: Frequency Analysis. This technique “can be traced back to the 9th-century [C.E.], when the Arabian polymath Abu Yusef Yaqub ibn Ishaq Al-Kindi (also known as ‘Alkindus’ in Europe), proposed in A Manuscript on Deciphering Cryptographic Messages.” It comes from the observation that certain letters appear more often than others in a given language (the letter “E,” for example, occurs most often in English). There also also common letter pairings (like “TH” in English).

So, in the case of the Caesar Cipher where the plaintext message is :

meet me at the theater

If each letter is shifted one letter in alphabet, it becomes:

nffu nf bu uif uifbufs

Frequency analysis would note that the most common letter in the ciphertext is “f” (which would suggest it is an “e”) and only letter pairing is “ui” (which would suggest the “u” is “t” and the “i” is “h”). If we replace these portions of the ciphertext we reveal:

_eet _e _t the the_te_

With these two facts of frequency analysis alone we have more than half the message deciphered. With a few logical leaps we could decipher the remaining the five letters. The simple substitution cipher was rendered useless.

The Classical Cryptography Counterattack

Polyalphabetic.jpg

Over the centuries other ciphers were introduced like the Polyalphabetic Substitution Cipher where a repeating, offset key is used to encrypt the plaintext (see picture, courtesy of the Library of Congress). First perfected by Johannes Trithemius in 1518 (although other variants existed beforehand), the person encoding the message would switch alphabets for each letter of the message.

So, “meet me” would now become: “lcbp gy,” a ciphertext that simple frequency analysis could not break since most of the letter and pairing statistics of a given language are not easily recognized.

Although, in time, this type of cryptography was broken by the likes of Charles Babbage using modular arithmetic, the existence of his cryptanalytic techniques remained a military secret for some years.

Final Thoughts

Fascinatingly, it was the use of math to break a cipher that led to our current arms race in data security. The use of math and algorithms to break cryptography means you need longer keys to encrypt the data and prevent a brute force attack; which, in turn, means you need faster computers to break the encryption; which, in turn, means you need longer keys; etc.

Unlike today, however, it took centuries to break a cipher back then. Now, it is just decades. From the Hebern Electric Super Code Cipher Machine in the 1920s, to the Enigma Machine of the 1930s and 40s, to the Data Encryption Standard (DES) of the 1970s and 80s, each seemed invincible until enhanced cryptanalytic techniques or greater computing power toppled it. Our current cryptography is reliable and secure, but quantum computers loom on the near horizon and their non-binary logic could brute force attack our current public key cryptography and make them insecure.

And so the arms race continues. Fortunately, NIST has already forecasted this threat and called for replacements to our current standards, well before it is a crisis.  

eBook: Definitive Guide to Encryption Key Management

Topics: Encryption

SQL Server Column Level Encryption

Posted by Patrick Townsend on Feb 28, 2017 9:11:00 AM

Microsoft customers attempting to meet security best practices, compliance regulations, and protection of organization’s digital assets turn to encryption of sensitive data in Microsoft SQL Server databases. The easiest way to encrypt data in SQL Server is through Transparent Data Encryption (TDE) which is a supported feature in SQL Server Enterprise Edition. For a variety of reasons, TDE may not be the optimal solution. Microsoft customers using SQL Server Standard, Web, and Express Editions do not have access to the TDE feature. And even when using SQL Server Enterprise Edition, TDE may not be the best choice for very large databases.

Encryption & Key Management for SQL Server - Definitive GuideLet’s look at some approaches to column level encryption in SQL Server. The following discussion assumes that you want to meet encryption key management best practices by storing encryption keys away from the protected data, and retain full and exclusive control of your encryption keys.

Column Level Encryption (aka Cell Level Encryption) 
Starting with the release of SQL Server 2008, all Enterprise editions of the database have supported the Extensible Key Management (EKM) architecture. The EKM architecture allows for two encryption options: Transparent Data Encryption (TDE) and Column Level Encryption (CLE). Cell Level Encryption is the term Microsoft uses for column level encryption. SQL Server Enterprise edition customers automatically have access to column level encryption through the EKM architecture.

Encryption Key Management solution providers can support both TDE and Column Level Encryption through their EKM Provider software. However, not all key management providers support both - some only support TDE encryption. If your key management vendor supports Cell Level Encryption this provides a path to column level encryption in SQL Server Enterprise editions.

Application Layer Encryption
Another approach to column level encryption that works well for SQL Server Standard, Web, and Express editions is to implement encryption and decryption at the application layer. This means that your application performs encryption on a column’s content before inserting or updating the database, and performs decryption on a column’s content after reading a value from the database. Almost all modern application languages support the industry standard AES encryption algorithm. Implementing encryption in languages such as C#, Java, Perl, Python, and other programming languages is now efficient and relatively painless.

The challenge that developers face when implementing encryption at the application layer is the proper protection of encryption keys. Security best practices and compliance regulations require a high level of protection of encryption keys. This is best accomplished through the use of an encryption key management system specifically designed to create, securely store, and manage strong encryption keys. For developers, the primary challenge in a SQL Server encryption project is integrating the application with the key manager. Many vendors of key management systems make this easier by providing Software Development Kits (SDKs) and sample code to help the developer accomplish this task easily.

SQL Views and Triggers with User Defined Functions (UDFs)
Another approach to column level encryption involves the use of SQL Views and Triggers. Leveraging the use of User Defined Functions (UDFs) the database administrator and application developer can implement column level encryption by creating SQL Views over existing tables, then implementing SQL Triggers to invoke user defined functions that retrieve encryption keys and perform encryption and decryption tasks. This approach has the advantage of minimizing the amount of application programming that is required, but does require analysis of the SQL database and the use of User Defined Functions. Database administrators and application developers may be able to leverage the SDKs provided by an encryption key management solution to make this process easier.

SQL Server Always Encrypted
One promising new technology recently implemented by Microsoft is SQL Server Always Encrypted. This feature is new with SQL Server 2016 and can work with any edition of SQL Server. It is a client-side architecture which means that column data is encrypted before it is sent to the database, and decrypted after it is retrieved from the database. While there are many constraints in how you can put and get data from SQL Server, it is a promising new technology that will help some customers protect data at the column level. You can expect to see support for Always Encrypted being announced by encryption key management vendors in the near future.

SQL Server in the Azure Cloud
As Microsoft customers and ISVs move to the Azure cloud they are taking their SQL Server applications with them. And it is very common that they take full implementations of SQL Server into their Azure virtual cloud instances. When SQL Server applications run in a virtual machine in Azure they support the same options for column level encryption as described above. This includes support for Cell Level Encryption through the EKM Provider architecture as well as application layer encryption. As in traditional IT infrastructure the challenge of encryption key management follows you into the Azure cloud. Azure customers should look to their encryption key management vendors to provide guidance on support for their key management solution and SDKs in Azure. Not all key management solutions run in Azure and Azure is not a supported platform for all vendor SDKs.

Azure SQL Database
In the Azure cloud Microsoft offers the SQL Server database as a cloud service. That is, Microsoft hosts the SQL Server database in the cloud and your applications can use this service rather than a full instance of SQL Server in your cloud instance. Unfortunately, Azure SQL Database only supports Transparent Data Encryption through the EKM Provider interface and does not yet support Cell Level Encryption. It also restricts encryption key management to only the Azure Key Vault facility requiring you to share key custody with Microsoft.

Column level encryption at the application layer is fully supported for Azure SQL Database. As in the traditional IT infrastructure your C#, Java, and other applications can encrypt and decrypt sensitive data above the database level. Again, check with your key management solution provider to insure that application level SDKs are supported in the Azure cloud.

AWS Cloud and SQL Server
The Amazon Web Service (AWS) implementation of cloud workloads parallels that of Microsoft Azure. You can deploy a full instance of SQL Server in an AWS EC2 instance and use the features of SQL Server as in traditional IT infrastructure. Amazon also overs a database service called Amazon Relational Database Service, or RDS. The RDS service offers multiple relational databases including SQL Server. As with Azure there is no support for key management solutions other than the Amazon Key Management Service (KMS) requiring a shared implementation of key custody.

As you can see there are many ways to implement column level encryption in SQL Server and use good encryption key management practices. I hope this helps you on our journey to more secure data in SQL Server.

Patrick

Encryption

Topics: Encryption, SQL Server, Cell Level Encryption

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all