Townsend Security Data Privacy Blog

Three questions to ask yourself when choosing encryption key management for vCloud

Businesses are moving more and more data to the cloud, and in our world, more data floating around in the cloud means more concern about securing sensitive data. It is no surprise to anyone that a single business can processes millions of pieces of sensitive data every day. From credit card numbers to social security numbers and protected health information (PHI), retail, financial, and healthcare organizations are processing this data in greater numbers than ever before.

Storing data in the cloud is one way businesses are conserving resources. Another way they are doing this is with platform virtualization. VMware is one of the most popular and widely used virtualization solutions currently used by enterprises. Alongside their virtualization software, VMware also supports the vCloud architecture that allows users to seamlessly move their workloads to a hosting or cloud vendor that supports this architecture.

Securing data in a virtualized environment introduces new security concerns, simply by the fact that applications processing sensitive data share resources such as memory, disk storage, and central processing units (CPU) with other applications on a physical machine. If a business decides to move their data to vCloud, this introduces even more concerns around the fact that a cloud environment shares these resources with other people and businesses as well.

Security professionals agree that security should be the number one concern for businesses moving data to the cloud. No one should ever assume that their cloud provider is protecting their data, especially if you need to meet compliance regulations such as PCI-DSS, GLBA/FFIEC, or HIPAA/HITECH. The only way to protect sensitive data in the cloud is by implementing a data security plan that includes strong encryption and encryption key management.

Townsend Security recently released Alliance Key Manager for VMware. This encryption key management solution is identical to our FIPS 140-2 compliant Alliance Key Manager hardware security module (HSM) for database encryption and is compatible with vCloud architecture to provide powerful data security for data in the cloud. This versatile instance of our encryption key manager works with any cloud or hosting provider that supports VMware vCloud architecture.

When choosing a third-party encryption key management provider to secure your data in vCloud, it is important to ask yourself these three questions:

1. Is it cost effective?
Businesses are looking towards simplified and scalable data storage solutions to reduce cost and conserve resources. Virtualization and cloud services serve businesses by providing cost-effective options for data storage and processing. Your encryption and key management should not thwart your goals to reduce cost and complexity in your business. You need solutions that will scale with your transition to virtualization and the cloud and that will work seamlessly in these environments. One of our fundamental beliefs is that budget should not be a barrier to good data security!

2. Will your encryption key management move with you to the cloud?
Not all businesses have moved to the cloud. However, as the cloud becomes more and more prevalent as well as cost effective, it’s important to keep in mind that you might decide to migrate to the cloud in the future. This migration can either be relatively simple or a huge headache depending on how cloud-compatible your software and hardware providers are. Choosing sophisticated solutions that are prepared to move with you to the cloud and will provide you with thorough technical support is critical to your success.

3. Will your key management prepare you for a breach?
In today’s data climate, a data breach for most businesses is no longer a matter of “if,” but, “when.” The only way to secure a breach, prevent data loss, and avoid data breach notification is by using strong, industry standard, and certified encryption and encryption key management. You’ll want your encryption key management solution to implement key management best practices that go above and beyond industry certifications. Certifications are often a low bar in data security, and implementing best practices will increase your security posture tremendously. Your encryption key management should be NIST FIPS 140-2 compliant if you want your data security to stand up to scrutiny in the event of a breach.

To learn more about enterprise key management for VMware and vCloud, download our podcast "Virtualized Encryption Key Management."

Businesses are virtualizing their IT infrastructure to save time, money, and manage many other resources that often go unused in IT environments. Virtualization of data centers evolved from the basic principles of resource sharing used in hosting and cloud environments. Virtualization enables businesses to have more efficient data center operations. With multiple operating systems running on a single server, multiple applications can also run on that server which in the long run allows a company to reduce the number of servers that they run and maintain. 

However, virtualization introduces new security concerns for companies that must protect sensitive data. Because virtualization allows businesses to run multiple applications on the same server, the encryption of sensitive data must work in conjunction with the virtualization platform. For businesses such as retailers and banks who run payment and financial applications on virtualized operating systems, they must encrypt sensitive credit card and financial information on their virtualized platforms, which requires a specialized third-party security solution.

Previously, companies would encrypt data on a server by server basis, using a single key management server to securely provide encryption keys to multiple servers on the network. The new infrastructure that virtualization brings into play, however, has caused encryption key management to need a different approach. New security concerns such as shared disk storage, network infrastructure, processing CPU components, need to be addressed.

Townsend Security has addressed the concerns in a new version of our encryption key manager, Alliance Key Manager for VMware. Alliance Key Manager for VMware is a NIST and Payment Card Industry (PCI) compliant virtual instance, identical to our original Alliance Key Manager hardware security module (HSM) that is in use by over 3,000 customers worldwide.

Simplified and Cost Effective Data Security

If you’re trying to reduce costs by moving to virtualized environments, implementing powerful data security that helps you meet compliance regulations doesn’t have to negate those efforts. Just like you choose virtualization to reduce costs in the long run, you can choose an encryption and key management solution that does the same, at a lower upfront cost. Townsend Security’s Alliance Key Manager for VMware is a specialized version of our key manager that allows you to encrypt data and securely manage encryption keys in a virtualized environment.

Alliance Key Manager for VMware manages encryption keys throughout the key lifecycle from the generation of those keys to their activation and use all the way through to retirement and deletion of keys.

Meet Compliance Regulations

By themselves, applications running VMware aren’t PCI compliant. Companies using VMware to reduce costs and consolidate their IT infrastructure still need to take responsibility for their own PCI compliance. Thankfully, VMware has made achieving PCI compliance through third-party security solutions easy with open architecture and standard APIs. VMware also recognizes the need for security in virtualized environments and has gone so far as to team up with CoalFire, a QSA auditing firm to publish guidelines for achieving PCI compliance in a virtual environment.

Many people believe that their hosting company is protecting their sensitive data. In actuality, it is never safe to assume your hosting company is doing this. Individuals and companies are responsible for protecting their own sensitive data. If you’re hosting in a virtualized environment, there are some hosting companies who have passed an infrastructure certification for compliance regulations, but they are few and far in between. In order to achieve compliance, businesses must review PCI standards and implement data security controls such as encryption and key management

Alliance Key Manager for VMware works in vCloud as well as any hosted environment that supports vCloud.  If you are moving your virtualized environment in the cloud, Alliance Key Manager for VMware will support this migration and can provide you with powerful encryption key management for the cloud.

Key Lifecycle & Rotation Explained

Encryption key management refers to the ability of a system to administer an encryption key through the length of its crypto-cycle. From the creation of a key, through it’s use, and eventually to its deletion, an encryption key management system needs to be able to securely and efficiently handle the encryption keys. I will talk a little about each major part of the encryption key lifecycle and how our Alliance Key Manager manages and administers the key throughout the lifecycle.

Key Creation: First, the encryption key is created and stored on the key manager server. The key can be created by a sole administrator or through dual control by two administrators. Townsend Security’s Alliance Key Manager creates the AES key through the use of a cryptographically secure random bit generator and stores the key, along with all it’s attributes, into the key database (which is also encrypted). The attributes stored with the key include its name, activation date, size, instance, the ability for the key to be deleted, as well as its rollover, mirroring, and key access attributes. The key can be activated upon its creation or set to be activated automatically or manually at a later time. Alliance Key Manager can also create keys of three different sizes: 128, 192, or 256-bit. The encryption key manager also tracks current and past instances, or versions, of the encryption key. You can also choose whether or not the key can be deleted, mirrored to a failover unit, and by which users or groups it can be accessed. Alliance Key Manager also allows the change of many of the key’s attributes at any time.

Key Use and Roll: Alliance Key Manager will allow an activated key to be retrieved by authorized systems and users for encryption or decryption processes. It also manages current and past instances of the key. For example, if a key is rolled every year and the version is updated, then the key manager will retain previous versions of the key but will dispense only the current instance for encryption processes. Previous versions can still be retrieved in order to decrypt data encrypted with such versions of the key. Alliance Key Manager also uses transport layer security (TLS) connections to securely deliver the encryption key to the system and user requesting it, which prevents the key from being compromised. The encryption key manager will also roll the key either through a previously established schedule or manually by an administrator.

Key Revocation: An administrator can use Alliance Key Manager to revoke or deactivate a key so that it is no longer used for encryption requests. In certain cases the key can continue to be used to decrypt data previously encrypted with it, like old backups, but even that can be restricted. A revoked key can, if needed, be reactivated by an administrator, although this would be more an exception to the rule than common practice.

Key Deletion: If a key is no longer in use or if it has somehow been compromised, an administrator can choose to delete the key entirely from the key database of the encryption key manager. Alliance Key Manager will remove it and all its instances, or just certain instances, completely and make the recovery of that key impossible (other than through a backup). This is also an option if sensitive data is compromised in its encrypted state. If the key is deleted, the compromised data will be completely secure since it would be impossible to recreate the encryption key for that data.

To learn more about encryption key management, download our ebook, "Encryption Key Management Simplified.”

Four steps to better encryption key management in the retail environment

When the PCI Security Standards Council released the Payment Application Data Security Standard (PA-DSS) in 2008, the security of payment applications took a big leap forward. Today, All retail ISVs providing payment applications must certify their products with PA-DSS (which requires encryption and encryption key management for applications that process credit card data). Merchants expect this level of certification in payment applications they use, and their customers expect personal information to be secured.

Yet time and time again we see news reports about retailers experiencing data breaches through their payment application software. These breaches tell us that PA-DSS certifications alone don’t always equal good security.  

Here are four steps you can take on the road to better security:

1 ) Be Aware of Security Issues

In the rush to meet PA-DSS requirements for credit card encryption, many payment applications incorporated just enough technology to pass the certification requirements around encryption of sensitive data, but not enough to stay current with encryption key management best practices.

Do your payment applications incorporate critical components of encryption key management including:

• Tested and certified encryption key generation techniques
• Physical and logical protection of data encryption keys (DEK)
• Protection of data encryption keys by key encryption keys (KEK)
• Proper management of the life-cycle of encryption keys
• Certification of key management solutions to international 
standards such as NIST, FIPS 140-2, and KMIP

2) Use Security Best Practices

In order to protect customers from data breaches and prepare for evolving compliance requirements, retail ISVs should strive to meet these encryption and key management best practices:

• Use Strong Encryption
  The Advanced Encryption Standard (AES) is the standard when it comes to data encryption. AES has been adopted as a standard by the US government and is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations.

• Use Key Management Best Practices
  Your encryption is only as good as how well you protect the encryption keys. Encryption keys should be secured away from the encrypted data using an external piece of hardware such as a hardware security module (HSM).

• Use Certified Solutions
  Always use NIST validated AES encryption and FIPS 140-2 certified encryption key management. These certifications ensure that their key management has been tested by a third-party against government standards and will stand up to scrutiny in the event of a breach.

3) Pick Your Partners Wisely

Townsend Security has redefined what it means to partner with a security company:

• With our NIST validated and FIPS 140-2 certified encryption and encryption key management solutions, retail ISVs can offer their customers easy, affordable, and powerful data security.
• Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. You focus on what you do best, and we’ll help you turn encryption and encryption key management into a revenue generating option to help build your business and protect your valued customers.
• We have more than 20 years of experience supplying encryption and key management solutions to over 3,000 companies worldwide.
• We help our customers achieve data privacy compliance at an affordable price and with a personalized touch.

4) Download the eBook “Overcoming Critical Security Issues”

This eBook resource is designed to give you the tools and information needed to have a high-level discussion about data security in your company. Click the button below to request your complimentary download!

If your company is an ISV, VAR, or OEM providing software or hardware to businesses who must meet data security compliance regulations (PCI, HIPAA/HITECH, GLBA/FFIEC, etc.), finding the right technology partners to offer your customers the best security available can be a difficult task.

Technology partnerships have a reputation for being difficult and risky. Legal agreements, licensing models, and product performance are just a few examples of serious barriers. Unfortunately in today’s technology climate, there are many examples of technology partnerships that have reinforced this reputation.

When it comes to protecting sensitive information and meeting security compliance regulations, we don’t believe anything should get in the way of offering your customers the best data security tools available. Townsend Security helps businesses of all sizes protect sensitive data with powerful encryption and encryption key management that not only helps companies meet compliance requirements, but will protect them in the event of a data breach.

Here’s how Townsend Security makes partnering with a technology company easier than ever:

1. Reduced Complexity to Lower Costs - Your technology partner’s product shouldn’t be so complicated that it takes outside consultants, drawn-out projects, and extra time and money to implement. In our eyes, a good partner works hard to make sure their product integrates seamlessly into your existing technology infrastructure. Townsend Security is able to accomplish this quickly and at a lower cost by having the capacity and functionality to specialize our solutions to meet our partners’ needs. We also ease the burden of implementation by providing our customers with a simple and cost-effective licensing model.
2. Provide Powerful Products - With the staggering number of data breaches that happen every month, there is no excuse to using sub-standard encryption to protect sensitive data. Many companies try to cut corners or meet the minimum standard by using “home-grown” encryption and key management or cheap solutions that don’t adequately protect data. However, when businesses use these solutions, many end up having to re-do their encryption and key management projects in order to comply with data security regulations (which are always becoming more stringent), or even worse, they experience a data breach and realize they can no longer skate by with weak data security. Townsend Security offers powerful, NIST-certified encryption and FIPS 140-2 encryption key management for all legacy platforms and the cloud to help you exceed standards and prevent data loss.
3. Excellent Back End Support - When it comes to back end support, the people you deal with on a day-to-day basis can make or break a partnership. Townsend Security works closely with our partners to ensure their success. We provide our partners with training, marketing materials, OEM options, as well as easy and cost effective licensing models to get our powerful solutions protecting your customers as soon as possible.

At the end of the day, the technology partner you choose should leverage your existing solutions by making them more powerful. It’s easy to secure data poorly, and it can be difficult to do it well, but Townsend Security has developed and scaled our encryption and encryption key management to eliminate the pains and obstacles of doing data security the right way.

What exactly is data security and encryption & key management, and why care about it? 

Interesting conversation this morning as I walked from the parking lot to my office building.  Another person from one of the eight companies that occupy this building and I walked in together and chatted... first it was just “looks like the weather is getting better”... then it moved to “what floor are you on?  what company?” and when I told her ‘Townsend Security’, she said “oh, I’ve always wondered what you folks do”...

As the newest staff member, I wasn’t sure I had perfected my 30 second elevator pitch, but I told her that we were a data encryption company and design the software (and provide hardware) that almost everyone needs to protect themselves from a data breach. At first her response was “oh, we don’t need that, we have a guy that takes care of our computers”. Then we talked about how high the statistics are for people who would experience a data breach ("In 2010, if you received a data breach notification, your odds of being a fraud victim were one in nine. Last year, that jumped to one in four."), and after asking if they had a database and if they kept any records that held personally identifiable information (PII) or credit cards, it quickly became “I think we need that!”.

It reminded me that when I started working here, I wasn’t fully aware of many of the reasons or regulations that make data encryption so important.  I’m not sure I will ever have a complete technical understanding of all the nuances, but I’m working on it... Luckily I work with incredibly brilliant people who daily do all of the hard programming work and are very passionate about encryption.

I am lucky enough to be working with a company that I believe in, doing work that I know is important and can really make a difference in peoples lives. One of the main reasons I love this job... all the wonderful people that I work with, people so passionate about data security and the positive impact we can have on other people’s lives!

The founder, Patrick Townsend, impressed me so much at our last staff meeting when he reminded everyone to really think about why we are here, why we do what we do.  “It isn’t about selling a product.  It isn’t about the bottom line.  It is about protecting people from the devastation that a data breach can have on their individual lives.  It is about making sure we help companies protect their customers and clients.  It is about stopping the bad guys from wrecking havoc by making it impossible for them to get what they are after.  That is why we are here, remember that”.

Think about what your company does with the data you collect.  Is it encrypted and secure when it is “data at rest” (just sitting on your server)? How about when it is “data in motion” (being transferred to someone else)?  Look into what is happening with your information, and if you depend on someone else to take care of it, make sure they are doing it right.

Data gets out. Period. Either by accident or by design (someone hacking into your information). Make sure that when it does get out (and unfortunately it is “when”, not “if”) that it can’t be read.  You can make that data useless by encrypting it.   Remember to keep the encryption key stored in a different location than the data (encryption key management 101) because you wouldn’t lock up your house and then tape the key to the front door or leave it under the welcome mat!...  Would you?

If you aren’t sure what encryption or key management is all about.  We have a wonderful resource section on our website, and I’ve gathered a collection of some great Key Management resources right here.

Check out the information we have on data security and encryption key management and then contact us with questions, we are here to help!

The way organizations are managing encryption keys is falling under more scrutiny by Payment Card Industry (PCI) Qualified Security Assessor (QSA) auditors.  Companies must demonstrate they are enforcing dual control and separation of duties in order to protect sensitive data. 

Here are the answers to three of our most frequently asked questions about encryption key management on the IBM i:

Is it still effective to use an integrated key management solution that stores encryption keys in the same partition as the encrypted data?  
The short and simple answer is No. There are many reasons why storing an encryption key on the same server that contains protected data is not advisable. This is not just an IBM i issue - it spans all of the current major operating systems. Let's explore this a bit more in the following sections.

How do IBM i users manage encryption keys according to PCI requirements with an encryption key manager?
Payment Card Industry - Data Security Standards (PCI DSS) requirement states the following requirements for encryption key management:

• Dual Control means that at least two people should be required to authenticate before performing critical key management tasks.

• Separation of Duties means that the individuals managing encryption keys should not have access to protected data such as credit cards, and those that have access to protected data should not have the authority to manage encryption keys.

How are the “dual control” and “separation of duties” requirements achieved on IBM i?
On the IBM i you simply can't achieve these PCI requirements if you store the encryption key in the same partition as the protected data.  

The QSECOFR user profile (and any user profile with *ALLOBJ authority) will always have complete access to every asset on the system.  An *ALLOBJ  user can circumvent controls by changing another user's password, replacing master keys and key encryption keys, changing and/or 
deleting system logs, managing validation lists, and directly accessing database files that contain encrypted data.  

From the perspective of PCI, an integrated key management system puts too much control into the hands of any one single individual.
The only way to comply with PCI requirements for key management is to store the encryption keys off of the IBM i.  Take users with *ALLOBJ authority out of the picture completely.  When you use a separate appliance to manage encryption keys you can grant a user access to the protected data on the IBM i and deny that same user access to the key manager.  Now you have enforced separation of duties.  And with the right key management appliance you can require TWO users to authenticate before keys can be managed, and have dual control of encryption keys.

Now it’s time to ask yourself a few questions!

• Is your organization encrypting data on IBM i?  

• If so, how are you managing the encryption keys?

• If you store the keys on a separate partition, have you had a recent PCI audit?  

• What did your auditor say?

If you aren’t sure of the answers, or if this still seems foreign to you, take a few minutes to download our eBook "Encryption Key Management Simplified”.

Whether you are an IT administrator or a business executive, this resource will help you learn the fundamentals of:

• What is encryption key management

• Key management best practices

• How to meet compliance regulations (PCI-DSS, HIPAA/HITECH, GLBA/FFIEC, etc.) with encryption key management

• How encryption key management works on every platform including Microsoft SQL Server '08/'12, Oracle, and IBM i

  As always, we welcome your comments and suggestions!  Let us know what you think of the eBook! 

Going Beyond Compliance Requirements with Encryption Key Management

If you are new at protecting data in Microsoft SQL Server environments, generally compliance regulations are what drive an encryption project.   In the past, encryption has had a reputation for being difficult to do, complex, and  time consuming, we hope to show you how that has changed.  

To start us off, here are a few definitions and acronyms that may help:

• AES – Advanced Encryption Standard – this is the most common standards based encryption that is used to protect data whether that is in SQL Server or any other environment where data-at-rest is protected.
• EKM – Extensible Key Management – within the Microsoft SQL Server environment EKM is a part of the Enterprise edition 2008/2012 and higher
• HSM – Hardware Security Module – the Townsend Security HSM encryption key management product is Alliance Key Manager
• FIPS – Federal Information Processing Standard
• NIST – National Institute of Standards in Technology

Since it wasn’t thought of as something that improved the “Bottom line” by increasing revenue or decreasing expenses, encryption has historically been a project solely driven by the need to meet compliance regulations.

There are a large variety of compliance regulations that most, if not all, businesses fall under. One common misconception about compliance regulations is that they don’t equally apply to both private and public companies. To clarify, these regulations apply to all companies, of all sizes, whether they are privately-held or publicly-owned. For example, if you take credit cards for any reason, you fall under Payment Card Industry - Data Security Standards (PCI-DSS). Other common regulations are:

• HIPAA Data Security & HITECH Act of 2009 which applies to Medical Providers and the healthcare industry.
• GLBA/FFIEC apply to banks, credit unions, credit reporting agencies, and anyone in the financial industry.
• FISMA is for Federal US Government Agencies.
• The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement.

More than 45 states also have their own privacy rules, in addition to the ones listed above, that strongly recommend encryption of any personally identifiable information (PII).

So, beyond compliance with regulations, why should you care about encryption… and what is it anyways?  First of all, your customers, clients, and suppliers all expect you to protect their sensitive data.  Hackers and data thieves are targeting mid-sized companies because, as larger companies get better at securing sensitive information, the hackers see smaller companies as better targets.  Financial fraud and data breaches become more common in those businesses that might not be as prepared without the resources to have an internal security team. Data loss can have a big impact on a company's reputation as well as their financial health.

AES encryption is a mathematical formula for protecting data.  It is based on a proven, well-known algorithm and standards published by NIST.  But since that formula is a open and vetted standard use, it is not the mathematical algorithm that is the big secret.  It is what happens with the “Key” that locks and unlocks the data that all the fuss is about.

Key management is so important because the encryption keys are THE secret that must be protected.  Without access to the key, a hacker that accesses encrypted data has no way to read it.  Industry standards and best practices for encryption key management, as well as compliance regulations that require proper encryption key management, all state that storing encryption keys on the server with the protected data is a poor security practice.  Encryption keys are unique and cryptographically secure, and once created, protecting the key is the core practice that will protect the sensitive data.  It will not be defensible in the event of a data breach if the keys were stored in the same server as the data.  (Akin to leaving the key to your house in the door lock and being surprised that someone has entered uninvited!)

Our solutions help Microsoft SQL Server customers really protect their data.  Alliance Key Manager, our encryption key management hardware security module (HSM), is FIPS 140-2 certiied.  This means it meets Federal standards that private enterprises expect around key management.  We provide encryption key management solutions for every version and edition of SQL Server starting with SQL Server 2005.

Please join our founder and data security expert, Patrick Townsend, in this 30-minute webinar that will cover encryption and key management best practices with Microsoft SQL Server!

As always, your comments and feedback are appreciated! 

ISV Executives Can Improve their Payment Applications with the Right Encryption and Key Management Partner

Your company competes against many other ISVs selling niche retail management software and payment applications. You need a strong partner to guarantee you are providing the best encryption and key management to your customers.
Because when payment applications don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave your customers extremely vulnerable to data breaches.

At Townsend Security, we offer industry standard AES encryption and certified key management and we believe that good encryption and key management is the cornerstone of good security.  Here are three ways we believe a good partner should help ease the burden of data security:

1. Reduced Cost and Complexity          

I know... you are thinking “Key management is both costly and difficult” - while that reputation was accurate ten years ago, today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help you by offering encryption key management that is quick and easy to deploy, has a cost effective licensing model, and we will even OEM or “white label” for you because we don’t believe issues around branding should get in the way of good data security.

2. Provide Certified Solutions

We believe that data security should be constantly evolving to meet the challenges of new security threats. Retail ISVs and payment application software companies need to know that although their solution may have earned a PA-DSS certification, these standards, like all PCI standards, are not set in stone. Just because a solution has been certified once, outdated encryption and key management practices might not suffice during the next certification process. Since encryption and key management are necessary components of payment application systems, providing customers with third party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give an ISV some critical advantages.

Townsend Security not only supplies NIST and FIPS 140-2 certified encryption and key management, we'll help you achieve your own FIPS certification under our OEM program. In order to confidently protect your customers, NIST and FIPS certifications ensure that encryption key management has been tested against government standards and will protect compromised data in the event of a breach.

3. Protect Your Customers

While many payment applications have a PA-DSS certification, in order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and data in transit using industry best practices. Data security must be a critical element in your risk management plan and conveyed well to your customers.

With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Townsend security has redefined what it means to partner with a security company. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model.  So when (not if) your customer experiences a data breach, and you have implemented adequate security that renders the compromised data unreadable, you will not only be your customer’s hero, but your own company’s hero as well.

In this complimentary podcast, security expert Patrick Townsend discusses “How Retail ISVs Can Improve Their Payment Applications” with Paul Taylor from Security Insider.
 

As always, we welcome your comments and questions! 

In Microsoft SQL Server 2008/2012 Enterprise edition users can enable Extensible Key Management (EKM) and use either TDE or cell level encryption to encrypt their sensitive data and to be selective about the data they encrypt.  EKM is an architecture that allows users to incorporate a third-party* encryption key management hardware security module (HSM) in order to truly secure their data using key management best practices and meet compliance regulations.

*Townsend Security is a Microsoft Silver partner and provider of encryption key management HSMs for Microsoft SQL Server, Microsoft SharePoint, Windows, and Microsoft Azure.

Users select from one of the two methods of SQL Server encryption available for the Microsoft SQL Server 2008/2012 Enterprise Edition and above:

1) Transparent Data Encryption (TDE): TDE encrypts the entire database and temporary files within that space with no additional programming.

On earlier versions of SQL Server deploying encryption had been a much larger and more complicated programming project.  With 2008/2012 Enterprise edition, TDE can be implemented fully without any programing at all. Once your administrator has DBA administrative rights, he or she can implement TDE through a straightforward process that requires no changes to coding, queries, or applications. TDE is a favored way to rapidly encrypt data and works well for small or medium sized databases because of its speed and ease of deployment.

2) Cell Level Encryption: Cell Level Encryption allows database administrators to select the columns they wish to encrypt in a database - a benefit for many administrators with larger databases; however, this process takes a little bit more effort to set up.

If you are leveraging EKM and using an external encryption key manager, the database administrator can encrypt data in the column (cell level) by adding a modifier on a particular fetch or update to the database. However, administrators will need to make small changes to their databases to enable their encryption key manager to do this. This is not a complicated step, however, and your encryption key management vendor should be able to help you through this. Cell level encryption works well for large databases where performance impacts must be kept to a minimum and only certain data needs to be encrypted.

Here is a very straightforward YouTube demonstration video where you can see just how easily TDE is set up.

Setting Up TDE & EKM on SQL Server 2008 / 2012 for Compliance

For a more in-depth look, we have compiled a selection of resources (webinar, white paper, podcast) that can provide additional information: