Townsend Security Data Privacy Blog

When protecting your data in SQL Server, you need to be as informed as the hackers!

Whether you are the CEO or the database administrator of your company, you need to be aware of what data you are storing and the different compliance regulations that require encryption and key management.

Having a data breach can often go undetected for quite some time, but when it happens (and these days it is “when” not “if”) it can cause some serious issues for your company and your customers!

While “the bad guys” get more creative every day, being aware of their tactics and following security best practices can slow them down and hopefully thwart their attempts from being successful.  Research and “post-data breach” studies have shown that 80% of data breaches happen with a fairly low-tech “old school” type of attack known as SQL injection.  In fact, Injection is #1 on the “2013 Top 10 List” of simple security problems from OWASP (the Open Web Application Security Project).

While not the only method, SQL injections are still one of the most common ways of attacking web services by sending malicious SQL code in parameter fields, with the intent that the server will execute the code. When designing web applications or internal applications you need to remain aware of SQL injection opportunities beyond just the systems securing credit card data. So many people think “we don’t have that problem.” However, if your application is on the internet… you do. Features such as login pages, support or product request forms, shopping carts are all examples of web applications that can make your databases vulnerable. Hackers can gain entry through these other areas of your company website and navigate their way to more valuable data. Once inside your database, they can retrieve or delete sensitive information such as credit card numbers, clients personal information, or company records.  Safeguards such as encryption and key management can help prevent those losses only if they are in place.

Good practices to prevent or mitigate attacks like SQL injection and the loss of unencrypted data :

• Analyze your website and web applications for vulnerabilities.
• Look for it in your system logs, make monitoring a priority.
• and remember,  internal apps are just as susceptible as public apps.

From a best practice point of view, as well as a regulatory compliance view, encrypting your data is a fundamental security step for any system. So even if the information is “retrieved”, it isn’t in a readable format and the hackers won’t be able to use it! While data encryption used to seem like a daunting task, that is no longer the case.  SQL Server 2008/2012 Enterprise Edition and above includes TDE offerings that allows for encryption without application changes.  You can now deploy key management that is easy to use and affordable with Alliance Key Manager, our FIPS 140-2 certified encryption key management HSM. 

Just keep in mind that the single biggest data security issue is failure to protect the encryption key. Always keep your keys off the server and out of the system that holds your encrypted data.  Think of it like the lock on your front door…  you wouldn’t lock up your house and then tape the key next to the handle… would you?

We would like to offer you a complimentary copy of our eBook: “Encryption Key Management Simplified”, which is a fundamentals guide for both IT administrators and business executives alike.  

As always, your comments and questions are welcome!

In a world where data breaches are occurring nearly every day, and data security in many organizations looks more like a sieve than a safeguard, using a strong encryption and key management solution is a must. Protecting sensitive data using encryption and protecting encryption keys using a strong encryption key management hardware security module (HSM) is so important today that it is required, if not strongly recommended, by most data security industry regulations such as PCI-DSS, HIPAA/HITECH, and GLBA/FFIEC.

If encryption and key management are so critical to protecting data, why are so many data breaches occurring every week? This is especially an important question to ask merchants and retail companies whose encryption and key management strategy has already passed a PCI test in order to operate their POS systems. Although they’ve passed the test, many are still the easiest targets for hackers and seem to be the most susceptible to data loss in general.

At the end of the day, individual businesses are responsible for their own data security, but POS vendors can boost their own security posture and industry leadership by offering better encryption and better encryption key management solutions to their customers. Since encryption and key management are necessary components of POS systems, providing customers with third-party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give a POS vendor these critical advantages:

1. Competitive Advantage - As we have seen over the past few years, industry regulations such as PCI-DSS and HIPAA/HITECH continue to become more stringent. POS vendors offering NIST-certified encryption key management will only retain customers if they can offer encryption key management solutions that fall in line with these regulations.
2. Protect Customers to Protect Yourself - When a data breach occurs, two parties take the most heat: the CEO and the software vendor whose solution was inadequately protecting the data. Retailers who experience data breaches due to poor encryption and key management techniques employed in their POS systems will likely blame their vendor and are more likely to migrate to a competitor.
3. Offer a Higher Quality Product and Generate New Revenue - Almost every single POS vendor offers encryption and key management on their devices, but not every POS vendor does the job right. In these cases, a retailer may pass a PCI audit but still be vulnerable to a data breach. With a NIST-certified OEM encryption key management solution, a POS vendor can offer retail customers the best data security available and generate new revenue with that offer.

In our opinion, POS vendors should absolutely offer their customers the best encryption and encryption key management solutions that are out there. It is clear that many POS vendors are not offering their customers the best data security tools, and the evidence is in the data breaches that happen nearly every week. POS vendors can offer their customers industry standard and certified solutions by implementing an affordable OEM encryption key management solution that is customized for their specific applications.

With the emergence of data security standards, encryption and key management have become a necessity for most companies storing or transferring sensitive data such as credit card numbers, patient data, social security numbers, and other personally identifiable information (PII). 

Transparent Data Encryption (TDE) on Microsoft SQL Server 2008, 2008 R2, and 2012, allows automatic encryption on these editions of SQL Server without application changes. With newly available SQL Server encryption capabilities, encryption key management--a critical step to securing your data--is done easily on SQL Server with extensible key management (EKM). EKM allows customers to choose a third-party encryption key management hardware security module (HSM) and integrate that HSM easily into their SQL database.

Without an encryption key management HSM, SQL Server users are essentially leaving the keys to their data underneath their welcome mat!

Three things to remember for following security best practices:

# 3 – SQL Server Encryption isn’t as imposing as it sounds…

• Compliance regulations drive the need for encryption and require that you protect the encryption keys apart from the encrypted data storage.  
• An encryption algorithm is simply a mathematical formula that protects data. The critical element is the way the “Key” to that formula (the encryption key) is managed. 
• HSMs like Alliance Key Manager create, manage, and protect encryption keys through the entire lifecycle and deliver them securely when they are needed.
• Alliance Key Manager is a quick, efficient, and compliant solution that is easy to implement with our “Key Connection for SQL Server” EKM provider software. Based on FIPS (Federal Information Processing Standard) 140-2 certified technology, it is easy to implement, deploy, and configure with “out of the box” integration with SQL Server.
• Townsend Security is Microsoft Silver partner and Alliance Key Manager works with all versions of Microsoft SQL Server including SQL Server 2005. Additionally, Alliance Key Manager allows you to protect sensitive data stored in Microsoft SharePoint and Microsoft Azure.

#2 - You are required to protect data by government and industry created regulations…

• PCI-DSS (Payment Card Industry – Data Security Standard) for merchants
• HIPAA/HITECH  (Health Insurance Portability and Accountability Act)/(Health Information Technology for Economic and Clinical Health) for medical providers
• GLBA/FFIEC (Gramm-Leach-Bliley Act)/(Federal Financial Institutions Examination Council) for the financial industry
• FISMA (Federal Information Security Management Act) for US Government agencies

#1 - Customers expect their data to be protected!

• PCI-DSS is required for anyone who takes credit cards.
• While expectations for data protection in the medical and financial industries are wide-spread, and easily understood, compliance regulations affect business and organizations of all sizes. 
• Beyond the expectations for privacy, and the laws that require it, the consequences of a data breach or data loss can be substantial. 
• Small to mid-sized companies can be an easy target for data thieves, resulting in costly losses to their business and reputation.

We have resources to share with you about SQL Server Encryption and how to best secure your data.  Please click the button below to access these informative downloads! 
 

As always, we welcome your comments and questions!

Almost every organization has at least one application built on Microsoft’s SQL Server database. Whether you build an application in-house using Microsoft’s development tools or you deploy a software package from a software vendor, chances are that your organizations has one or more SQL Server databases to help you manage information.

The Challenge: Protect Data with SQL Server’s Encryption

Today it is almost impossible to run a business without handling sensitive information and storing storing data such as customer names, credit card numbers, bank account numbers, passwords, email addresses, or other personally identifiable information (PII) or private health information (PHI) in your SQL Server database. If your organization must meet data security regulations such as PCI-DSS, HIPAA/HITECH, GLBA/FFIEC, or GDPR, you probably already know that this data must be encrypted in order to protect your customers and prevent data loss in the event of a data breach.

What you may not know is that in order to truly protect your data, you must manage your encryption keys in adherence to key management best practices such as dual control and separation of duties using an external encryption key manager (key managers are available in VMware, Cloud, as a traditional hardware security module or HSM). Your company will only be able to avoid data breach notification if you are using these best practices.

The good news is that Microsoft SQL Server comes equipped with transparent data encryption (TDE) and extensible key management (EKM) to make encryption and key management using a third-party key manager easier than ever. Older versions of SQL Server can also be easily encrypted using different tactics, and you can manage those encryption keys just as easily with an encryption key manager as well.

Encrypting Data in SQL Server Depends on Your Version

If you’re currently looking into encrypting your SQL Server database or deploying a key management system, you may be concerned about how to protect your data depending on the version, code, and language used to build your database. To help ease your worries, here are 4 ways to encrypt your SQL Server database and protect your encryption keys:

1. Since SQL Server 2008 Enterprise and SQL Server 2019 Standard, Microsoft has supported automatic encryption with TDE and column-level encryption for Enterprise Edition users and above. Without any programming you can encrypt the SQL Server database or an individual column, and store the keys on an encryption key manager (commonly available as an HSM and in VMware or Cloud).
2. If you have an older version of SQL Server, or you have SQL Server Standard Edition or Web Edition, you don’t have access to TDE. But you can still automate encryption: Through the strategic use of SQL Views and Triggers, you can automate encryption of sensitive data on your SQL Server without extensive program modifications, and still use a secure key manager to protect the encryption keys.
3. Your developers might have written custom application code to implement your SQL Server database. But SQL Server encryption and key management is still within your reach. A good key management vendor should supply you with software libraries that easily add into your applications and implement SQL Server encryption.
4. You might have a SQL Server database, but not be using Microsoft programming languages. Perhaps your applications are written in Java, Perl, or PHP. Again, it is simple to deploy software libraries that encrypt the SQL Server data and which store the encryption keys on an external centralized key manager.

SQL Server encryption and good key management is not difficult to achieve. Although key management has a reputation for being difficult and costly, today key management for SQL Server is cost-effective, easy, has little to no performance impact, will get your company in compliance, and will keep your organization out of the headlines by helping to prevent a data breach.  Townsend Security's Alliance Key Manager is FIPS 140-2 compliant and in use by over 3,000 customers worldwide.

To learn more about key management for SQL Server, download the White Paper, “Encryption Key Management for Microsoft SQL Server.”

If you're starting an encryption key management project, you should always know the warning signs of obstacles that might make your project way more difficult and costly than it needs to be. We often see companies who have recently failed a data security audit, or realize that they are about to, because they didn't watch out for these pitfalls before they began an encryption key management project.

1. Complicated Project Requiring Outside Consultants and Time
If you find yourself bogged down by hiring outside consultants (beyond your encryption key management vendor) to help you set up and run your encryption key management system, you're probably headed for trouble. Encryption key management should be simple, straightforward, and easy to deploy.

2. No Certifications
NIST certifications are a must when it comes to implementing good encryption key management. In order to meet compliance for PCI-DSS, GLBA/FFIEC, FISMA, and other compliance regulations, always use NIST-certified AES encryption and FIPS 140-2 compliant encryption key management. Your QSA or other data security auditor will look for these certifications.

3. No Client-Side Support
Your encryption key management vendor should supply you with the appropriate client-side applications to make your encryption key management run as smoothly as possible. If you find yourself scrambling to find sample code, binary libraries, key retrieval and other tools, your encryption key management project time will almost certainly increase and not come to a complete halt.

4. No Dual Control and Separation of Duties
When it comes to doing your encryption key management right, one of the critical pieces to meeting compliance requirements such as PCI-DSS is using the principles of dual control and separation of duties. These are hard and fast guidelines when it comes to the handling of encryption keys, and are considered a "best practice" for encryption key management. If your encryption key management hardware system doesn't implement these policies, it will be difficult to pass your data security audit down the road. Some compliance regulations such as HIPAA/HITECH Act don't yet require these policies; however, you should expect these best practices policies to be implemented into regulations down the road.

5. Complex and Hard to Predict Licensing
When you don't know how much your encryption key managemer is going to cost, your project will stop in its tracks. When you don't know how many licenses your company will need over time and how your encryption key management vendor will charge you for them, estimating the cost becomes very complicated. Often a vendor might limit how many devices can connect to your key server or the number of keys the key server can create, resulting in unpredictable costs. As we all know, a project with an unpredictable cost never gets off the ground! The cost of licensing should not be a barrier to protecting your sensitive data.

To learn more about how encryption key management and how easy it can be, check out our webinar, “Key Management Simplified.”

XN3H7FQ298CU 

I’m often asked if we can protect sensitive data in the Microsoft Windows Azure cloud. The answer is YES, and I’ll try to summarize our support on the different flavors of Windows Azure here:

First, Windows Azure has both a Platform-as-a-Service offering (PaaS) to run applications and store data in SQL Azure, and an Infrastructure-as-a-Service (IaaS) offering that allows you to run full Virtual Machines. Our data protection solutions run in all versions of Windows Azure – anywhere you run applications in Azure, we provide encryption and key management solutions to protect your data.

Windows Azure Platform-as-a-Service:

In this environment we provide .NET libraries that perform encryption key retrieval from our Alliance Key Manager, a FIPS 140-2 certified key management HSM. Any data store you choose for your sensitive data is supported by our client libraries and include SQL Azure. Our .NET software libraries are add-ins to your Visual Studio project and let you seamlessly retrieve encryption keys from the HSM. 

Windows Azure Infrastructure-as-a-Service: 

In this environment we provide a broad set of data protection solutions for both Microsoft and non-Microsoft operating systems and applications. These include the following:

Microsoft SQL Server Extensible Key Management (EKM)

The Townsend Security EKM Provider software fully supports SQL Server Transparent Data Encryption (TDE) and Cell Level Encryption integrated with Townsend Security's Alliance Key Manager key server, a FIPS 140-2 certified HSM. Because no code or database application changes are required, TDE encryption is the fastest path to compliant data protection.

Microsoft SQL Server Standard and Web Editions

Many Microsoft customers use SQL Server Standard or Web editions in the Azure cloud. These editions of SQL Server do not support EKM and TDE. For these versions of SQL Server Townsend provides .NET software libraries to implement automatic column level encryption using SQL Views and Triggers.

Microsoft SharePoint

Microsoft SharePoint provides a user-friendly collaboration platform for sharing documents, spreadsheets, and other files. When you need to protect sensitive information in SharePoint documents, Townsend provides TDE encryption of the SharePoint database, and full encryption for files stored in Remote Blob Storage (RBS). All document information and document files are encrypted with 256-bit AES encryption using the Alliance Key Server HSM. ** 

Microsoft Dynamics CRM, GP, AX, etc.

Microsoft customers using the popular Dynamics applications need to protect customer and employee information stored in these applications. Townsend Security's SQL Server TDE software provides full application data encryption and integrates with their Alliance Key Manager HSM. 

.NET applications

Many Microsoft users create custom applications using a variety of Microsoft technologies. For customers developing applications in any .NET language such as C#, VBNET, and so forth, Townsend provides .NET software libraries to perform encryption key retrieval and encryption. These libraries support the protection of unstructured data and purpose-built applications that need encryption support.

Non-Microsoft databases, languages, and operating systems

Townsend supports a wide variety of non-Microsoft databases, languages and operating systems in Windows Azure. You can use Oracle Database, MySQL, and other commercial and open source databases on Azure. Townsend provides appropriate client-side libraries to help you protect data. Townsend also provides a rich set of language libraries to help you achieve your data protection goals. Language support includes Java, Perl, PHP, Python, C/C++, and others. And these work in other operating systems supported by Windows Azure such as Linux.

At this point I hope you are getting the idea that we can help you with any of your data protection needs in the Microsoft Azure cloud. With key management solutions on hardware HSMs, hosted facilities, and VMware platforms, I think we’ve got your back when it comes to Azure data protection. 

Patrick

** RBS encryption available in late 2013.

Today there are so many ways to lose control over sensitive data. Hackers are constantly trying to access networks, laptops get stolen out of cars, and unauthorized employees are given access to data that they were never meant to see. With so many ways to lose data, no wonder so many IT execs bury their heads in the sand at the idea of data security. It seems like there's nothing they can do.

Unfortunately for those people who ignore the pressing need for tighter data security (and are probably setting themselves up for a data breach), there is something they can do. They can encrypt their data, and they can use key management best practices to protect their encryption keys.

Encryption and key management are considered the highest standard in data protection, and are required or recommended by most industry regulations such as PCI-DSS, GLBA/FFIEC, FISMA, and HIPAA-HITECH Act.

But what exactly is encryption and why do you need key management?

I recently talked with data security expert Patrick Townsend, founder and CEO of Townsend Security, to find out. Watch the video of that discussion here.

What is encryption?

Encryption is a means of encoding data using an encryption algorithm to render data unreadable. AES encryption is a standard put forth by the National Institute of Standards and Technology (NIST). It is accepted as the strongest method to secure sensitive data. Encrypted data looks like gibberish. For example, an encrypted version of the name "John Doe" might look like "Ue%#KD#@". In order to read the gibberish, someone must have access to the encryption key, which unlocks the encrypted data to make it readable.

What is an Encryption Key?

When you encrypt data, an encryption "key" is created. Each encryption key is unique.  Encryption keys are the secret that must be protected. Encryption keys are a lot like the keys you use to lock your house. It's likely that you and several of your neighbors use the same kind of lock on your door, but each of you owns a unique key. Like a house lock, encryption uses the same algorithm to encrypt data, however in each instance, a unique key is created to unlock each piece of data. Losing your encryption key to a hacker is like losing your house key to a thief.

Hackers don't break encryption. They find the keys.

A lot of IT executives have dug themselves into a hole because they know they need encryption and key management, but they don't want to admit to their bosses that they've been ignoring the issue--and putting the company at risk--for years. It can be a very difficult subject to talk about, especially when budget has played a role in the decision making.

If you’re ready to begin having this discussion with your IT team, you should arm yourself with the right questions. We recommend you check out this video, “What is Encryption Key Management?” featuring Patrick Townsend, Founder & CEO of Townsend Security.

When it comes to data security, the question every single CEO and CISO should be asking her or himself is, "how do I prevent a data breach from happening to me?"

I recently sat down with data security expert Patrick Townsend, founder and CEO of Townsend Security to discuss the challenges around protecting sensitive data in the cloud and the most common methods of how people are protecting data in the cloud today.

Watch the video of that discussion here.

We live in a word today where data breaches are no longer a matter of "if" but "when." It is almost certain that some unauthorized person will at some point access your company's sensitive data, either by mistake, or with malicious intent to commit fraud. Whether it's by accident or intentional, unauthorized access of unencrypted sensitive data is usually grounds for data breach notification.

With so many companies moving their data storage to the cloud, preventing a data breach or unauthorized access to sensitive data becomes even trickier. Across the board, the number one concern people have with the cloud is data security. Because the cloud is fundamentally a shared environment in a location most users don't typically have physical access to, people are right to wonder, "Am I inadvertently sharing data with other people, and I don't know it?"

The truth is, in the cloud it's really hard to tell who you may inadvertently be sharing data with. That's why in order to prevent a data breach and avoid data breach notification it's critical to encrypt your sensitive data in the cloud, and you must use key management best practices. In fact, the concepts of protecting data in the cloud are fundamentally the same as protecting data outside of the cloud. You must (in review):

1. Encrypt the data
2. Use key management best practices to protect encryption keys

Using key management best practices for data in the cloud is fundamental, especially if you need to pass compliance regulations such as PCI-DSS, FFIEC, or FISMA.

As you'll learn in the video, there are really three ways to protect keys for encrypted data in the cloud:

1. Store the keys "in-house"
2. Store the keys in a hosted environment
3. Store the keys in the cloud

All three methods have their own advantages. But there are also ways with each method  to incorrectly protect encryption keys. In the end, it's essential that you use key management best practices, and often times the easiest way to make sure you're doing that is by using an third party vendor with expert knowledge of key management best practices for the cloud.

Check out "Encryption Key Management for the Cloud" where Patrick Townsend discusses the challenges and solutions for protecting encryption keys.

When a solution integrator assesses a company's IT and data security needs, most solution integrators know that almost every single business will need to meet at least one set of data security compliance regulations. If it's a retail business, they'll need to meet PCI-DSS. If it's a bank or financial company, they'll need to meet FFIEC and GLBA. If the company is a healthcare organization, they'll need to meet the data security requirements of HIPAA-HITECH. 

All of these regulations require that entities protect their sensitive data. From names and addresses to credit card and protected health information, these regulations say that the only way to truly secure this data is with encryption--not just firewalls and strong passwords--but with AES encryption. Even more importantly, most industry regulations and laws state that if a company is using encryption and proper encryption key management, should that company have a data breach, they don't always have to report it.

Do you think the companies who had major data breaches last year wish they had known that little fact? We're guessing, yes. 

Unfortunately, there's a lot of false information out there about encryption and encryption key management. A common misconception is that hackers can break encryption. The truth is, hackers don't break encryption, they find the encryption keys. How do they find the keys? If the keys are stored on the same device that the encrypted data is stored on, or the keys are stored in an unsecured location that the hacker gets access to, once the hacker has the keys, he or she can "unlock" the encrypted data. 

It's a little bit like taping your house key to your front door and hoping that a thief won't find it there. It's wishful thinking. 

That's why encryption is considered only half of a solution. All companies encrypting data also must implement good encryption key management. 

Of course solution integrators want to know how offering their customers encryption key management services can grow their business. There's actually still a lot of hesitation around encryption key management as a service because managing keys was once a very difficult and costly thing to do. It even had a reputation for causing severe performance impacts on a network. Maybe that was true 10 years ago, but today encryption and key management technology is: 

• Easier than ever to implement on legacy platforms such as IBM i and Microsoft SQL Server 

• Cost effective

• Has very little impact on performance. 

That’s why offering encryption key management to your customers is always a good idea. Offering these technologies will not only grow your business. Encryption key management service will protect your customers and help them meet compliance (which they’ll be thankful for).

Townsend Security is a Microsoft Silver Partner and an Advanced partner with IBM, providing the only FIPS 140-2 certified key management solution for Pureflex. Want to learn more about encryption and key management for IBM platforms? Download the podcast on automatic encryption for IBM i below!

Today, nearly every business needs to meet at least one set of data security compliance regulations, if not more. Regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC recommend if not outright require companies collecting sensitive data to secure that data using encryption and encryption key management. Most solution integrators are aware of this, but they may not know what to look for in a third party key management vendor to partner with.

The key management vendor you chose to partner with should provide you with all services you need to integrate key management into your solution easily. If you're a solution integrator, a third party key management vendor should provide you with:

1. Technology. Does your key management partner provide you with all of adequate hardware, software, encryption libraries, and tools you need to easily deploy encryption and key management on your customers' networks?

2. Certifications. Certifications are crucial to meeting government and industry data security requirements. Is your key management partner’s solution FIPS 140-2 certified? What is the certificate number? Do they use NIST-certified AES encryption?

3. Training. Does your partner provide you with adequate training to tools such as walk-through instruction and training videos to help you implement encryption key management with ease?

4. Platform Compatibility. Does your partner support all of your customers' legacy platforms such as IBM, Microsoft, or Oracle, including newer and older versions?

5. Client Side Support. Does your partner supply you with all of the sample code, binary libraries, applications, key retrieval and other tools you need to implement encryption and key management fast and easily? Do they charge client-side licenses? (Note: Townsend Security never charges for client-side support.)

6. Marketing Collateral. Does your partner provide you with strong sales and marketing material to help you promote and provide credibility to the product?

7. Knowledge of Compliance Regulations. Does your partner know how their solutions will help your customers meet compliance regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC?

8. Virtual and Cloud Environment Capabilities. Your customers may be storing their data "in-house", but if they want to move to the cloud, can your key management partner  move with them?

9. Scalable Solutions. Many customers of SIs are small and medium sized businesses with the same data security needs as larger enterprises. Can your key management scale to meet the needs of the SMB market?

10. A Supportive Business Relationship. Does your partner understand your competitive and pricing challenges? Will your partner work with you to craft a solution that will keep your price competitive, or will they just give you a price and walk away?

11. A Win-Win relationship. Will the partnership create new business and generate new revenue for both parties?

Townsend Security is a third party encryption and key management provider of NIST-certified AES encryption and and FIPS 140-2 certified key management systems. With over 25 years of experience helping companies protect data and meet compliance requirements, Townsend Security can help you do the same.

To learn more about partnering with Townsend Security, contact us now. To learn more about AES Encryption and encryption key management, download our White Paper  "AES Encryption and Related Concepts."