Townsend Security Data Privacy Blog

Most encryption discussions start with my customers asking about the algorithms available. My usual response is "That's a great question. But talking about that now is like worrying about how to dispose of a bomb before disarming it." The point I'm trying to make is that effective encryption algorithms are required, but not sufficient. If you don't have robust, secure key management, encrypting data is a waste of resources regardless of the algorithm used. Therefore, the first place to begin any new encryption project is key management.

So what does a robust key management solution enable? Good key management systems have, in my mind, three functional, must have components:

1. Key generation and storage management,
2. Secure key distribution
3. Standards compliance

All of these need to be provided in a manner that provides tight control by a select few encryption key administrators who don't also have access to the encrypted data.

At first glance, key generation may seem relatively easy. Just generate a key of the appropriate length and store it somewhere. But that's only a piece of the problem. First, best practices says that no person should know the key and no one person should be able to generate a new key and put it into use.

Second, unlike military secrets on the battlefield, data encrypted today may need to stay protected for years or even decades. But the longer data remains encrypted with the same key, the higher the risk of that data being compromised. Best practices address this by implementing key rotation (i.e. generate a new key, unencrypt data encrypted with the old key, and re-encrypt with the new key).

The next important area for a good key management solution to address is key distribution. One aspect of key distribution is secure storage, retrieval and transmission of keys. Key management solutions must make it easy for approved application and system interfaces to work with unencrypted data while not exposing the keys to those interfaces or to any human users of the system. Good key management solutions typically use a hierarchy of keys (such as key encryption keys and data encryption keys) to help enable this function.

Another aspect of key distribution is authorization. While operating systems can be used to specify which people are allowed to access data in a database, they do not provide mechanisms to indicate whether encrypted fields in the database should be decrypted or not. Consider a scenario where Joe has access to the CUSTMST database because he runs a specific application. Joe's job does not require him to access customer credit card information, which is encrypted. The application does not show Joe this information so it isn't a problem from that point of view. But what if Joe uses DBU or ODBC to access the database? Good encryption solutions allow an administrator to indicate if Joe is allowed to view decrypted data and will enforce the decision of the administrator by not decrypting information for the user JOE (or Joe user? :-) ).

Of huge importance for good key management solutions is government and industry standards compliance. Any key management solution worth their salt will be compliant with any standards that affect your organization. While uncertified solutions may be compliant, there is no way to tell if they haven't been certified by an appropriate third-party as compliant.

I recently collaborated with Patrick Townsend of Townsend Security on a white paper discussing the topic of encryption standards compliance on the IBM i. You can download a copy of it here.

Finally, good key management solutions provide the functionality discussed above in an easy to use package. What does "easy to use mean?" It means that business logic programmers and system administrators are not forced to become crypto experts or to learn the internals of the key management solution in order to efficiently and effectively implement encryption in your organization.

So when you begin your quest to implement encryption on your system, start by looking for the qualities of good encryption key management described here. Only after you find one should you begin to worry about the technical details associated with the encryption algorithms supported by that solution.

About the Author
Patrick Botz is the President and CTO of Botz & Associates. Patrick’s expertise includes security strategy, security policy enforcement, password management and single sign-on (SSO), industry and government compliance, and biometrics.

Previously as Lead Security Architect at IBM and founder of the IBM Lab Services security consulting team, Patrick achieved intimate knowledge of system security capabilities and pitfalls on a broad spectrum of platforms, with special emphasis on IBM i (formerly AS/400), AIX, Linux and UNIX operating systems.

Townsend Security, an industry leader in data security and encryption key management, will be exhibiting at the PASS Summit in Charlotte, North Carolina this year on October 15-18. We will feature our FIPS 140-2 compliant encryption key management hardware security module (HSM), along with our new hosting option for managing your encryption keys in the cloud.

Will you be attending PASS this year? The Professional Association of SQL Server (PASS) hosts this summit every year and is the largest conference for SQL users and professionals worldwide. Look for us in booth #322 to learn more about how easy encryption and encryption key management can be with your SQL Server. Whether you are using a legacy version of SQL Server or SQL Server 2012 with Transparent Data Encryption (TDE) and Extensible Key Management (EKM), Alliance Key Manager can manage your encryption keys.

How Alliance Key Manager for SQL Server protects your data:

• Automation of all key management tasks including rotation, retrieval, and generation in a central location
• Uses Microsoft’s Extensible Key Management (EKM) interface to support Transparent Data Encryption (TDE) on SQL Server 2008/2012
• Works with all versions of SQL Server

Key Management Hosted in the Cloud
Townsend Security's new Alliance Key Manager Hosted HSM solution allows customers to own a dedicated key manager HSM in a hosted environment consisting. The solutions consists of a production and high availability (HA) HSM in geographically dispersed data centers under an ITIL-based control environment independently validated for compliance against PCI DSS and SOC frameworks. Unlike other hosted encryption key management offerings, only the customer has administrative and security access to the HSMs.

Encrypting Data in Microsoft SharePoint
Since Microsoft SharePoint runs on top of a SQL Server environment, protecting data in SharePoint is easier than ever. Many SQL administrators are fearful that their users are storing sensitive, unencrypted data in SharePoint, and they rightly should be. Alliance Key Manager for SQL Server can help to secure this data.

Encryption Key Management for SQL Server Enterprise Edition
Alliance Key Manager for SQL Server integrates seamlessly with TDE and EKM technologies to enable automatic encryption in SQL Server 2008/2012 Enterprise Edition and above. Additionally, Alliance Key Manager for SQL Server supports cell level encryption, which allows database administrators to select the columns they wish to encrypt in a database - a benefit for many administrators with larger databases.

Encryption Key Management for SQL Server 2005
Many SQL users are still running earlier editions of SQL Server that don’t support EKM & TDE. However, running older versions of SQL Server does not limit your ability to encrypt data and manage encryption keys! Townsend Security supports cell level encryption for SQL Server 2005.

Multi-Platform Environments
Alliance Key Manager isn’t exclusive to the Microsoft SQL suite. In fact, our key management server integrates easily into complex, multi platform environments with many types of databases, operating systems, and programming languages. Our encryption key manager can protect data on the IBM i (AS/400), DB2, Oracle, Linux, Windows, and in the cloud.

To learn more, download our white paper "Encryption Key Management for Microsoft SQL Server 2008/2012."

Patrick Botz, founder of Botz and Associates and former Lead Security Architect at IBM, recently published a White Paper in conjunction with Townsend Security discussing dual control, split knowledge, and separation of duties--three critical controls needed to protect encryption keys and encrypted data on the IBM i platform. These controls are considered “best practices” in the IT industry, and it is common knowledge amongst security professionals that without these controls in place, any organization could be at risk for a major data breach.

Just like financial controls that are put in place to prevent fraud in a business, these concepts are used in IT security to prevent data loss. As data breaches are reported in the news almost every day, we can easily see the consequences of data loss: public scrutiny, hefty fines, lost business, and litigation are just a few of the ramifications. Implementing these controls reduces the potential for fraud or malfeasance caused by the mishandling of data or a data loss event due to hackers, employee mistakes, or stolen or lost hardware.

In this white paper Patrick Botz outlines the importance of these three controls and explains why they must be used to protect data stored in IBM i databases. Botz discusses on-board master key capabilities provided by the IBM Cryptographic Services APIs on an IBM i, the limitations of the IBM i Master Key Facility, and why organizations should use third-party key management to protect their sensitive data.

The top 3 critical best practices are:

Separation of Duties - This is widely known control set in place to prevent fraud and other mishandling of information. Separation of duties means that different people control different procedures so that no one person controls multiple procedures. When it comes to encryption key management, the person the person who manages encryption keys should not be the same person who has access to the encrypted data.

Dual Control - Dual control means that at least two or more people control a single process. In encryption key management, this means at least two people should be needed to authenticate the access of an encryption key, so that no one single person has access to an encryption key

Split Knowledge - Split knowledge prevents any one person from knowing the complete value of an encryption key or passcode. Two or more people should know parts of the value, and all must be present to create or re-create the encryption key or passcode. While split knowledge is not needed to create data encryption keys on the IBM i, it is needed for the generation of master keys which are needed to protect data encryption keys. Any encryption keys that are accessed or handled in the clear in any way should be protected using split knowledge.

The three core controls should always be used when storing or transferring encrypted sensitive data. A certified, hardened security module (HSM) designed to secure data encryption keys and key, or master, encryption keys should implement these controls into the administration of the key manager. NIST FIPS 140-2 validation is an important certification to look for in an encryption key manager. This certification ensures that your key manager has been tested against government standards and will stand up to scrutiny in the event of a breach.

Automatic Encryption on V7R1
With the release of IBM i V7R1, users can now encrypt data automatically with no application changes. This is great news for IBM i users since encryption has been a difficult task in the past, needing specialized encryption solutions for earlier versions of IBM i. Protecting your encryption keys in a an external key management HSM is the critical next step to protecting your encrypted data.

To learn more about encryption key management for the IBM i download the full White Paper “Encryption Key Management for IBM i - Sources of Audit Failures,” by IBM i security experts Patrick Botz and Patrick Townsend.

In light of the public revelations about the NSA’s attempt to weaken encryption standards including the random number generation standard named Dual_EC_DRBG (NIST Special Publication 800-90), and the recommendation by RSA Security to their customers to avoid using this algorithm, it is natural that our customers would ask if we are using this technology in our products.

I can confirm that we are NOT using this algorithm in any of our security products including our flagship enterprise key management solution, Alliance Key Manager. Further, the secure TLS connections for key retrieval and encryption services only allow 2048-bit RSA encryption. We do not allow the negotiation of other, potentially weak, connection methods. We implement strong cryptography in our solutions, we maintain all of the source code for our applications, our source code is independently reviewed by security professionals and cryptographers, and our solution is FIPS 140-2 validated by a NIST-certified testing laboratory. There are no known weaknesses in our encryption and key management applications and processes.

I am encouraged that NIST has opened a public review of the Dual_EC_DRBG standard and am fully confident that they will resolve any security issues that exist in the standard using an open, public review process.

I have full confidence in the security professionals at NIST. I have watched their work over many years, benefited from their guidance and diligence in the area of security, and consider them to be some of the most honorable, intelligent, and hard working members of the security community. We owe them the chance to do what they do best - review the standards, bring the best minds to the process, and publish credible and defensible standards.

Patrick

Just because data is encrypted, doesn’t necessarily mean it is safe...

What do business executives need to know about encryption key management best practices? As it turns out, CEOs don’t need to know every tiny detail about encryption and the tools used to protect encryption keys, but they do need to know enough to protect their business and mitigate major risks.

Just like financial and legal best practices that business executives are tuned in to and monitor weekly, if not daily, business leaders need to have a heightened awareness of how their IT departments are handling both their own and their customers’ sensitive data. Sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII) such as names, addresses, email addresses, and passwords needs to be protected as mandated by industry regulations and many state laws. Unencrypted data or encrypted data with poorly protected encryption keys is a ticking time bomb that could lead to a major data breach.

I recently sat down with Patrick Townsend, Founder and CEO, to discuss the critical security risks executives face, how to start a conversation on data security with your IT team, and the encryption and key management best practices that will save your company from a data breach.

Patrick Townsend explains the importance of protecting encryption keys:

“Executives need to know that A.) they might not be encrypting the data that they need to, and B.) if they are encrypting that data, they might not be protecting their encryption keys, which are the core secret that have to be protected the right way. When you leave the house in the morning and you lock your door, you don’t tape the key right next to the lock. Your house key would be easy to find when you come home, but we all know that’s a bad practice. In a similar way, a lot of organizations are not implementing best practices around protecting encryption keys and are putting their business at risk.”

The major risks associated with unencrypted or poorly encrypted data are these:

• A data breach is no longer a matter of “if,” but, “when”
• The average cost of a data breach is $5.4 million, according to the Ponemon Institute
• This cost typically is a culmination of fines, lost customers, brand damage, credit monitoring, and litigation

How does an organization properly encrypt their sensitive data?  They need to follow best practices such as deploying AES encryption and NIST FIPS 140-2 compliant key management, as well as important practices such as separation of duties, split knowledge, and dual control.

Encryption key management best practices will:

• Provide you with strong encryption
• Provide you with powerful, defensible encryption key management
• Protect your business in the event of a data breach
• Put you in compliance with industry and state regulations
• Give you peace of mind

To learn more about the business risks of data security, download our free eBook "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication Between CEOs and CIOs" and learn about the business risks associated with unprotected sensitive data, tools and resources to begin the discussion about data security in your company, and actionable steps you can take today.

“Encryption and key management can’t become endemic the way it needs to be without being easy and affordable. That’s a fundamental fact.” - Patrick Townsend, Founder & CEO of Townsend Security

Every day securing sensitive data becomes more and more important. With sensitive information being entered into databases, and many databases moving to the cloud, the risks associated with unprotected data increase exponentially. Data such as credit card information, social security numbers, financial information, and protected health information (PHI) gets dumped into internal IT networks as well as the the stratosphere of the cloud. Without adequate data security tools, businesses are sitting ducks when it comes to data loss.

Unfortunately for a lot of organizations, the security tools their IT departments have deemed “adequate” are mostly firewalls and other access prevention mechanisms. Today, however, it is widely acknowledged by security professionals that these mechanisms are easily breached by hackers. In fact, many data breaches are simply caused by employees mishandling data. Because firewalls don’t keep data secure, industry regulators such as the Payment Card Industry Security Standards Council and HIPAA/HITECH Act mandate or strongly recommended organizations use strong encryption and encryption key management to secure the data itself. If encrypted data is compromised, but the encryption keys are securely protected, then the data remains unreadable.

Recently Joan Ross, security expert, published a White Paper outlining critical encryption key management principles that will help organizations overcome one of the biggest barriers to implementing a strong encryption key management solution: The need for a solution that is affordable and quick to deploy.

Time, money, compatibility, and hidden costs are issues every business struggles with. Almost every single successful, new innovative technology these days is designed to help individuals or businesses reduce time, save money, and increase compatibility between devices--unfortunately, the hidden costs sometimes persist. You see simplification driving down costs with tools such as virtualization and cloud computing, for example. These technologies are so effective at helping businesses reduce costs that more and more people are using them every day.

However, as businesses move more and more data into virtualized and cloud platforms, securing that data becomes even more difficult due to the inherent complexities of these environments. As this happens it’s important to remember that data security shouldn’t fall to the wayside.

With over 25 years in the data security industry, Ross addresses in her White Paper the issues of affordability and hidden costs in effective encryption key management systems. When choosing a key management vendor, Ross reiterates that hidden costs can quickly add up, resulting in a solution that that becomes too exorbitant to execute. Transparency, she urges, is critical to a successful relationship with a key management vendor. Achieving affordability and transparency is possible today because there are vendors today who want to work with customers--and who believe that cost should not be a barrier to good data security.

In Joan’s words: “Data security has come a long way within just the past few years.  Organizations no longer have to continue to maintain current patchwork methods because there are no available, cost-effective, or interoperable solutions that easily solve their problems.  Encryption and encryption key management are now industry standards and work across both legacy and newer business systems, multi-platform and multi-tenant networks, remote access workstations, geographical offices, data centers, and third-party business partners.”

Download the White Paper "Industry Must Haves for Effective Encryption Key Management" to learn more about must-haves in an encryption key manager and how to ensure your data is fully protected.

More than any other industry, it is surprising that the gaming industry struggles with protecting customer credit card information. For businesses that deal in money, you’d think that protecting this asset would be their number one concern. However, just like every other industry, some casinos still lack many proper controls such as encryption and encryption key management to keep customer card data safe.

The truth is, there are so many credit and debit card transaction points from the moment a customer walks into a casino. At every single point a customer swipes their card, that card information needs to be encrypted. This isn’t just a best practices--credit card encryption is mandated by the Payment Card Industry Security Standards Council (PCI-SSC). This means that at any point during any transaction, credit card numbers should never be transferred, processed, or stored “in the clear.” PCI also sets regulations around how businesses handling credit card data should manage encryption keys.

Even though encryption key management is required by PCI, not every business manages their encryption keys, and if they do, not every business does it right. Just like in the financial world, there are several critical encryption key management “best practices” that should be put in use in order to manage encryption keys in the most secure way possible. The number one risk associated with not following best practices is data loss. A data breach of credit card numbers can be devastating, especially if your business relies on customer loyalty.

Whether you’re a casino, gaming vendor, or gaming ISV providing card processing applications to casinos, always look for an encryption key management solution with these 3 features:

• Follows Best Practices - Your encryption key management vendor should have best practices integrated into their solution in order to guarantee your success. Best practices include having certified solutions, using industry standard encryption, and implementing controls such as dual control and separation of duties.
• World Class Support - When protecting critical customer data, your reputation is only as good as your encryption key management vendor’s reputation for providing solid products and world class support. Choose a vendor that has a reputation for helping customers.
• World Class Partner - If you’re a gaming ISV that sells applications that handle credit card data inside casino IT networks, you should be offering your customers encryption key management to protect that data. Choosing an encryption key management partner is a big decision, and you should look for one with a powerful solution that will grow with you and is focused on your success.

The gaming industry isn’t exempt from needing to protect sensitive data, although it is sometimes the industry that flies under the radar and has some of the biggest issues around data security. As we have seen, data breaches "are not a matter of if, but when."  Encryption key management is fundamental to protecting yourself from a data breach. By protecting yourself from a breach, you in turn will in turn maintain your customers' loyalty to your casino - because who wants to play at a casino who gambled with their personal information and lost.

Even though technology has evolved to reduce cost and complexity in our IT infrastructure through virtualization and cloud computing, these technologies have also introduced new concerns and complications around data security. The main reason security and IT professionals are so concerned about virtualization and the cloud is that these environments share resources. In a virtualized environment, a single application will share resources with every other application including RAM, disk storage, memory, and CPU. In a cloud environment, these same resources are shared amongst multiple users.

A fundamental fact to acknowledge if you’re using virtualized, hosted, or cloud services is that the companies who provide these services are not required to protect your data. In fact, you should never assume that they are doing just that. When it comes to meeting compliance regulations such as PCI, HIPAA/HITECH, or GLBA/FFIEC, the burden of compliance falls upon individual companies and organizations. If organizations want meet compliance and protect their data from a data breach, they need a powerful, certified, and industry standard data protection strategy.

When it comes to protecting sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII), it is a recognized fact that only using network security protocols such as firewalls and strong passwords is not enough to protect data from outside intruders. The Payment Card Industry Security Standards Council (PCI-SSC) knows this, which is why they require the use of strong encryption and encryption key management to protect credit card data.

Once you realize this, then you should also consider your options when choosing an encryption key manager. An encryption key manager will generate and protect your encryption keys and should include these five critical features:

1. Certifications. Is the encryption key manager NIST FIPS 140-2 validated? The National Institute of Standards and Technology (NIST) is governmental organization that sets the highest standard for encryption and encryption key management. A FIPS 140-2 level compliance means that your key manager has been heavily tested and will stand up to scrutiny in the event of a data breach.
2. Virtualization and Cloud Compatibility. Even if you haven’t moved to virtualized environments or the cloud, it is very likely that someday you’ll consider these options. You want to choose an encryption key manager that can securely protect your encryption keys “in-house,” and will move with you to virtualized environments or the cloud when you’re ready.
3. A Key Manager that Uses Best Practices. Encryption key management best practices are not outrightly required by many compliance regulations, but they are critical to a successful data security strategy. Protocols such as dual control and separation of duties should be implemented in your encryption key manager as a part of its operability. This is the only way to truly protect data and protect yourself in the event of a data breach.
4. Easy to Deploy. Encryption and key management has a reputation for being incredibly difficult. That may have been true ten years ago, but today encryption key management can be easy to deploy in your organization, depending on your provider. Keep in mind your vendor’s ability to deploy key management in multi-platform environments, in your own IT infrastructure as well as cloud and virtualized environments, if it’s easy enough to install and deploy yourself, and if your key management vendor provides supplemental code and encryption libraries free of charge.
5. World Class Technical Support. Choosing an encryption key manager and deploying it is a big decision. Choose a key manager with a reputation for amazing technical support.

Townsend Security’s Alliance Key Manager for VMware now supports VMware and vCloud.

2 Ways Alliance Key Manager Encrypts MySQL Database and Protects Encryption Keys

MySQL is the most popular open source relational database system and is in wide use in commercial and non-commercial environments. It is natural that developers and security professionals want to know how to encrypt sensitive information stored in MySQL databases.

While MySQL does not implement a Transparent Data Encryption (TDE) solution like Microsoft SQL Server and Oracle Database, you still have options to get the data protected with strong encryption and use a defensible encryption key management strategy.

With a strong encryption key management solution you can encrypt data in two ways in MySQL databases to meet compliance regulations for proper encryption key management:

1. Column Level Encryption:

Alliance Key Manager provides shared libraries for Windows and Linux that provide the technical support for SQL Views and Triggers with User Defined Functions (UDFs). Using these shared libraries lets the developer fully automate the encryption tasks without changes to application code. Alliance Key Manager provides an example of how to do this in a Windows Server operating system context.

2. Encryption in Application Code

Second, Alliance Key Manager provides many shared libraries and application code examples if you need to implement encryption in your applications. The extensive library of code examples include Java, PHP, Ruby, Python, Perl, C/C++, C#, VBNET and others. You can encrypt data in your applications, or send the data to the key server for on-device encryption. The on-device encryption option is a favorite of web developers who don’t want to expose encryption keys in their web server application.

About Alliance Key Manager

Alliance Key Manager is a NIST validated, FIPS 140-2 compliant solution that meets PCI DSS and other compliance regulations for protecting encryption keys. You can deploy the key server as an HSM in your own data center or in our hosting center, or as a VMware instance, or as a cloud application running in PCI DSS certified infrastructure. Alliance Key Manager is available with a number of licensing options that will meet the budget constraints of any organization.