Townsend Security Data Privacy Blog

• A retailer with an eCommerce web site running on a Windows platform is encrypting data in a SQL Server database, but the key is stored on another server in the clear. A QSA auditor required that the merchant deploy better key management practices.
• A large manufacturer runs a user group and collects membership fees from a web site which are then processed on an IBM System i (AS/400) platform. The encryption keys were stored in encrypted format on the same server. A QSA auditor at their payment processor required that they institute better key management practices by storing the keys in an HSM on a physically separate server.
• A division of a large home improvement retail chain accepted customer orders from a web site, and processed the authorization transactions on a Linux server. The encryption keys were stored on a removable storage device. The payment processor rejected their self-assessment questionnaire on the basis of key management practices. The division migrated to the corporate key management solution to mitigate the issue.
• A software vendor who provides web hotel reservation portals uses both a Windows application and a Linux application to process reservation requests and payments. PCI standards require that credit card numbers be encrypted as data moves through both server environments. This software developer had good advice and chose a defensible key management strategy from the start.

I think you get the idea. Starting with a good key management solution is going to save you some grief later. We helped each of these companies meet PCI DSS compliance for key management, and in most cases it really didn’t take that much time or effort. But better to get it right from the start!

To learn more, download our white paper on encryption key management requirements for PCI.

Many of you have asked me about encryption and key management requirements for HIPAA and HITECH Act. I can understand why there is a fair amount of confusion about this. The US Department of Health and Human Services (HHS) has not issued the final rules, but they have indicated that the current Interim Final Rules are unlikely to change very much. The final rules are due to be published later this year, and may be updated on an annual basis.

The current IFRs indicate that encryption is an accepted method of protecting patient health information. However, there is no mandate for encryption, and medical providers (Covered Entities, in HHS regulatory speak) can use other methods to protect data. However, the guidance about breach notification is very explicit on the question of encryption. A medical provider can only avoid breach notification if the data is encrypted. In the event of a data loss where the data is not encrypted, the medical provider must report the breach to HHS and to the patients affected by the loss. The breach event is published on a public web site maintained by HHS. There may be penalties for the loss of unprotected information, and HHS has already started levying fines on medical providers. Here is what HHS says about encryption and breach notification:

“Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:

1. Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.  To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.  The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.“

This is how proper key management is discussed in the HHS documentation. Note that it explicitly states that encryption keys must NOT be stored on the same device as the protected data. This is very similar to the PCI DSS requirement. The HHS documentation makes reference to NIST publications, and those publications recommend the use of FIPS 140-2 key management solutions.

It is important to note that tokenization is not mentioned by the HHS guidelines at all. Tokenization vendors will probably argue that tokenized data is not patient information, so can be used to avoid breach notification. But that is a vendor claim, and is not addressed by HHS. It should be noted that like PCI DSS, the tokenization solution must also meet the HHS guidelines for encryption and key management.

The bottom line?

The only way to avoid a breach notification is through the use of industry standard encryption such as AES, and appropriate encryption key management technologies. Encryption keys must not be stored on the same device (server) as the protected data. NIST best practices recommend that key management systems should be FIPS 140-2 certified. Our Alliance Key Manager solution meets these guidelines and will help you get to the land of HIPAA and HITECH Act Nirvana.

For more information, download our white paper titled "Achieve Safe-Harbor Status from HITECH Act Breach Notification with NIST-Certified Data Encryption."

The color silver symbolizes glamor and distinction. This year, the color silver symbolizes accomplishment for those of us at Townsend.  We have recently obtained Silver Business Partner status in Microsoft’s business partner program and the company just celebrated its 25th Silver anniversary.

Earlier this month we announced that we became a silver level business intelligence partner with Microsoft.  This new alliance will help us with the launch of our encryption key management solution for Microsoft SQL Server 2008, later this quarter.   We just returned from Microsoft’s Worldwide Partner Conference where we met with several different partners about this opportunity.   We talked with many companies who had similar interests in compliance and data protection, it was a great introduction into a new community that is very important to us.

July 14, 2011 marked Townsend’s silver anniversary – what a milestone! We owe this accomplishment to our customers, partners and our dedicated team. The company has evolved a lot over the last 25 years; we have undergone a few name changes (Patrick Townsend & Associates, Patrick Townsend Security Solutions and now Townsend Security) and a few different logos.  Our name and our look may have changed over the years, however, our mission and vision have remained the same - Townsend Security creates, sells and supports professional encryption solutions that protect data and simplify compliance.

The solutions we have introduced into the market over the years, AES Encryption, FTP Manager, Key Manager, LogAgent, XML/400 and TokenManager align with our vision. Our commitment to provide world-class support to our hundreds of customers worldwide will always be our number one priority.  And we are proud to say that a few members of the Townsend team have been with the company for over 10 years and several more are quickly approaching their 10 year anniversary, not many companies can say that in today’s economy.  As we pour that glass of bubbly and toast our silver anniversary we will be sure to thank our customers, partners and ourselves for an incredible 25 year run and set our sights on the next 25 years.  I can’t wait to see what it holds!

Be a part of our next 25 years, follow us on Facebook, Twitter, and LinkedIn.

First, like a proper workout, there are two parts.  There is the encryption process and the often after-thought of key management.  You need both for a successful and compliant data privacy solution.  This is much the same as hitting the gym.  You need to do your weights as well as run on the treadmill for a comprehensive workout.  Just because you are encrypting, doesn’t mean that you are doing it correctly, or will pass any sort of audit for that matter.

Next comes the personal trainer, or in the case of data privacy, regulatory compliance regulations (PCI DSS, HIPAA/HITECH, FFIEC, etc). Privacy regulations show you proper form.  They spell out exactly what you need to be doing to meet compliance regulations.  Check out the concepts in PCI DSS Section 3 for encryption and key management requirements.  Not only are privacy regulations helpful for providing best practices, but also in most cases apply directly to your business (PCI DSS, state privacy laws, etc.). 

Sometimes difficult to meet, compliance regulations are a good thing.  They are what protect your and my personal information.  One good way to ensure you are going down the right path is to use NIST-certified AES encryption and FIPS 140-certified encryption key management.  These certifications assure that the solution is proven and validated by a third-party.  It is a very expensive and time intensive process, but ultimately assures the encryption and key management solutions can meet the most stringent privacy regulations.  Only the very best encryption and key management offerings can do this.

Why make your workout harder than it needs to be?  Start your workout right from the beginning and you won’t be throwing your back out later (did you know an average data loss costs a company over $200 per record?).  Believe it or not, there are still some “encryption” solutions that aren’t NIST-certified.  Some companies say “we meet the standards of NIST and FIPS regulations”, but have nothing to prove it.  If you dig a little deeper you’ll see NIST has no record of them.  It’s kind of like trusting an infomercial that says all you need to do is use their contraption for three minutes a day and you’ll look like a body-builder.  I’d rather spend my time and efforts sticking to a proven method for getting in shape.

For more information on encryption and key management, download our white paper titled “AES Encryption and Related Concepts.”

With the growing demand for regulatory compliance and concern for data privacy, organizations are taking advantage of encryption as a way to provide a "defense in depth" solution.  This approach is often impractical using only database encryption management tools alone.  Townsend Security has addressed this with their Alliance Key Manager Hardware Security Module (HSM).  Alliance Key Manager is a FIPS 140-2 certified solution that stores encryption keys on a hardware appliance.  This is a more secure approach and better meets compliance requirements because encryption keys do not reside with the encrypted data.

So what does an organization need to look for when selecting an encryption key management HSM?

1) Cost Effective
Cost should not be a barrier to compliance.  Townsend Security's encryption key management HSM is an affordable solution that can scale from small and medium sized organizations to the largest Enterprise.

2) Meet Compliance Requirements
Compliance regulations require encryption keys to be stored separately from the encrypted data to meet Separation of Duties and Dual Control best practices.  It is important to enforce separation of duties if you are trying to meet PCI-DSS.  This means preventing administrators from having access to both the encrypted data and the encryption keys.

3) Invest in a FIPS 140-Certified Solution
This gives you assurance that your encryption key management solution is certified to the highest standard for regulatory compliance.

4) Easy Integration
It is important that your encryption key management solution connects effortlessly to your applications and databases.

5) Automated Key Management Process
Your organization can save time and money when addressing compliance requirements by choosing an encryption key management HSM that automates all of your essential key management tasks - including rotation, retrieval, and generation - from one server or man, in a central location.

Want to learn more?  You can view a pre-recorded webinar titled "Encryption Key Management Simplified" and learn how encryption key management can be easy, why encryption key management is important, and what the barriers are to good encryption key management.

Companies of all sizes feel the increasing pressure to protect sensitive customer information to meet PCI-DSS Standards.  Here are five ways to help ensure your database meets PCI requirements: 

1) Use certified encryption solutions to protect cardholder data

A standards-based encryption solution safeguards information stored on databases. Encryption methods approved by the National Institute of Standards and Technology (NIST) provide assurance that your data is secured to the highest standards.  

2) Encrypt cardholder data that is sent across open, public networks
Transmit sensitive files over the internet using trusted encryption technologies. (AES, SSH, SSL, and PGP).

3) Store encryption keys from your encrypted data on a certified encryption key management appliance
The most important part of a data encryption strategy is the protection of the encryption keys you use. Encryption keys safeguard your encrypted data and represent the keys to the kingdom. If someone has access to your keys, they have access to your encrypted data.

4) Enforce dual controls and separation of duties for encrypted data and encryption keys
Make sure people who have access to your encrypted data are restricted from accessing the encryption keys and vice versa. If someone can access your encrypted data and access the keys, your data is compromised.  You shouldn’t lock your door and leave the key under the mat for easy access to your home, the same precautions should be taken with your sensitive data.

5) Use tokenization to take servers out of the scope of compliance
Tokenization replaces sensitive data with a token. The token maintains the original data characteristics but holds no value, reducing the risk associated sensitive data loss. When you store tokens on a separate token server it eliminates the need to store the original data in an encrypted format, and may take the server out of scope for compliance.

Download the whitepaper Meet the Challenges of PCI Compliance and learn more about protecting sensitive data to meet PCI compliance requirements.

Last week we hosted a well-attended webinar titled "Encryption Key Management Simplified - Removing Complexity and Cost."  The focus was on meeting compliance regulations for managing encryption keys and that it doesn't need to be complex or costly - as long as you are using the correct tools.  Patrick Townsend, founder and CTO, received a lot of great questions during the webinar and wanted to share a few of them in our blog.  If you missed the webinar and would like to view it now, click here.

My PCI auditor told me that I need to separate my encryption keys from sensitive data.  Will a key management solution help with this?

Yes.  Absolutely.  That is typically what auditors expect you to do - to use a key management solution to separate the keys from the data that they protect.  So, within the PCI DSS world, for example, there are the concepts of dual control and separation of duties.  You accomplish separation of duties through procedural controls after you deploy a key management server.  You will find references in the navigation guide for PCI DSS around proper encryption key management.  There is a clear recommendation in Section 3 of the PCI DSS that people use professional encryption key management solutions and Alliance Key Manager is exactly that kind of solution.  By the way, it is just impossible on any platform to achieve best practices for key management by having the encryption keys on the same platform as the protected data - whether it is an IBM AS/400 where you have a security officer who has all control, or Windows with an Administrator Account that has high authority, or Linux and UNIX where you have root authority users.  It's just not possible to practically achieve they type of separation of duties and dual control that you need.  In almost all cases, Compliance Auditors are really looking to find proper key management and systems in place like Alliance Key Manager to meet that requirement.

On the IBM i, IBM has implemented a key store.  Why wouldn't I just use the IBM key store?

Well, the IBM i key store is, as it's name implies, is not an encryption key management system at all.  It's a place to store encryption keys.  I think like any platform where you have one or more very highly authorized users you have the problem of achieving dual control and separation of duties.  I'm not picking on the IBM i platform here, I think that platform has generally speaking good security, but you cannot achieve dual control or separation of duties on that platform.  Not only does the security administrator have all authority to any database and the key store, but also any user with All Object Authority has the same level of security.  In a typical IBM AS/400 shop, there are a lot of people who have that authority.  So the key store on the IBM i platform just won't give you the ability to achieve these compliance requirements for separation of duties and dual control.  You really need to deploy a solution that is specifically designed to manage keys through the entire life cycle.

How do you keep system administrators from getting at the data and the keys at the same time?

Through the use of an encryption key management system, you would have a security administrator responsible for creating encryption keys, and a different database administrator responsible for granting access and setting up tables and that person would have access to the data.  But if the data is encrypted properly, and you are using proper encryption key management techniques, that database administrator will not have encryption keys and the encryption key management administrator will not have data access.  This is the whole concept of separation of duties - that you have different people.  To achieve that kind of compliance or security architecture, it means you have to have technology and procedure controls around this deployment.  So you have to have some people who are responsible for the data who never see encryption keys and some people who are responsible for encryption keys who never see data - so there is a combination of technologies and procedures that are required.  If you don't have the right technology, then you can't prevent these two from interacting - so that is why encryption key management is such an important part of a data protection strategy.  You really need to be able to have that separation of duties to achieve that.

To view the webinar "Encryption Key Management Simplified - Removing Complexity and Cost" in it's entirety, click here and be sure to let us know if you have any further questions.

I’ve always liked those Holiday Inn Express commercials with the theme of “Stay Smart.” The commercials portray an “expert” stepping in to save the day. In one, a “nuclear expert” takes charge of a reactor about to melt down. In another a “doctor” arrives to deliver a baby just in the nick of time. The tag line is funny because the so-called expert turns out not to be a nuclear scientist or a doctor, but just an average person who stayed at a Holiday Inn Express. That made them “smart.” Don’t worry; I’ll bring this discussion back to encryption momentarily.

A while back, reports surfaced of broken encryption security for some Kingston, Verbatim, and SanDisk secure USB storage devices. Not all of the vendor’s devices were affected, but some of their most popular products were. All these products were NIST-certified, causing some industry commentators to erroneously question the certification process. Being a big believer in independent certification, I’d like to weigh in on this controversy and set the record straight.

As it turns out, the weakness, in these devices, was not in the actual AES encryption, but in the key management processes. All the affected vendors quickly released replacements or patches to fix the problem, which is the right thing to do. But it was fascinating to watch some of the responses to this problem. Many commentators complained that the FIPS-140 testing was faulty, or that FIPS-140 testing was irrelevant. The implication is that FIPS-140 does not really give you any assurance of security, and therefore, also by implication, that it is not important.

This is really the wrong conclusion. Let me talk a little about FIPS-140 certification and what is does mean.

First, FIPS-140 certification is not a guarantee of security. It is an assurance that encryption and related security algorithms have been implemented in compliance with published standards, that an application uses good practices in exposing it’s operational interfaces, that start up tests validate that the application has not been modified or corrupted, that cryptographic material is not exposed in application logs or leaked to memory, and that an independent expert has reviewed the source code. Going through a FIPS-140 certification is a grueling process for an encryption vendor and almost always results in finding some issues that need to be addressed to make the product more secure. Companies that engage in FIPS-140 certifications produce better products, and become better security designers in the process.

Is the FIPS-140 testing and certification process perfect? Of course not. That’s not a standard anyone can meet. In fact, NIST is working on a project right now to enhance the process. Believe me, the new certification process (probably to be named FIPS-140-3, for version 3) will not be weaker than the current process, it will be better.

The lesson from the encrypted USB problem is not that FIPS-140 certification is meaningless. It’s that doing encryption right is really difficult. If you want a secure USB storage device, you would NEVER consider using a product that was not FIPS-140 certified. We have plenty of experience of broken security on non-certified products. Problems with certified products are rare, but do happen. Usually you will find that a problem with a FIPS-140 certified product is with some aspect of the application that was out of scope for the certification. That’s the case for the encrypted USB devices that had problems.

To bring us back full circle, I just want to say that no responsible Enterprise should trust a non-certified USB device, anymore than you or I should trust a “doctor” to perform surgery because that “doctor” stayed at a Holiday Inn Express. The sad fact is that many large corporations today are putting their trust in encryption vendors who have not FIPS-140 certified their products. The management of these companies would never consider using a $100 secure USB device without certification, but do entrust the protection of huge amounts of sensitive data to non-certified vendors. In this age where too many try to pass themselves off as experts, it often takes an organization like NIST to certify the expertise behind something as important as encryption.

I’m proud of our NIST certifications – we will never back down from our commitment to provide you with the best security products and our commitment to independent certification. You can learn more about FIPS-140 certification on our web site, or directly from NIST at www.NIST.gov.

For more information, download our white paper "AES Encryption and Related Concepts" and learn about how proper encryption and encryption key management work together to secure your data.

The other night I went to my very first WLC meeting.  WLC is apart of United Way, it stands for Women's Leadership Council.  WLC’s mission is to positively impact the lives of women in our community by promoting self sufficiency and financial stability through philanthropy and community service.

We went around the table and introduced ourselves.  There were many different job titles named;  financial advisor, real estate consultant, partner sales rep, and several others.  After we broke the ice (and secretly judged one another), we touched on all the subjects that women usually talk about, our children, significant others (what they are and are not doing), work and all the other stresses in our lives.   One lady suggested we do something that she does with all of her clients to help get to know them better and asked us, “What is your magic? What is it that sets you apart from everyone else in this world?”  
   
Well shoot!  What is my magic?  And for that matter, what is Townsend Security’s Magic - what sets us apart from the competition?

Our mission at Townsend Security is to provide our customers peace of mind when it comes to data privacy.  We help them do business securely and provide their customers peace of mind.  The way we deliver peace of mind is our magic, it is what sets us apart from any other encryption and key management company.  Our magic.... drum roll please.... is a combination of innovation, experience and our commitment to be known as more than just a data privacy company.  

Our independently certified solutions are developed by experts. The team at Townsend is well-known and well-respected in the industry. We understand the issues around data privacy and compliance and use that knowledge to create and support our solutions. We believe we should be the experts in data privacy so our customers can be the experts in their own industries. No one wakes up and says they want to start an encryption project and no project is the same - so when the time comes we are ready to listen to the problem that needs to be solved and deliver the right solution

In addition to data privacy, Townsend Security is locally known for its commitment to the community.  We are a proud supporter of the United Way and many other local non-profits.  In fact, we were just named the "2011 Corporate Supporter of the Year for Small Busineses" by the Thurston County chapter of United Way.  It is great to work at a company that not only says they want to make their community better - they actually do it and encourage all of its employees to do the same, this is how I became involved with the WLC, which gets back on track about the question posed to myself that night.   My magic, well.. it is everything WLC stands for a hard working young woman, who is graduating from college, raising a small child and doing it all with a positive attitude.  

The phone is ringing, so back to work I go. Time to share more of that Townsend magic (and my own) with one of our customers.  And if they haven’t read this blog post yet, I’ll send it their way.  We want our customers and our community to know how seriously we take our commitment to providing peace of mind in the solutions we sell and in the service we provide.  We know that everyone has their own magic and brings something unique to the table - let us know what yours is.