Townsend Security Data Privacy Blog

Encryption and Key Management Can Provide Data Security in the Cloud

Data security is frequently brought up as one of the biggest concerns of moving to the cloud. According to a recent American Institute of CPA’s survey, weighing in at over 63%, the top barrier to adopting or expanding cloud solutions are security concerns. Whether you are looking for a cloud database solution, or moving other sensitive business data to the cloud, choosing your cloud provider will be a critical decision. After all, not all cloud security providers or cloud security solutions are created equal.

If you’re thinking of moving some or all of your sensitive data to the cloud, we’ve compiled a handy list of questions to help you select the right security solutions for your business. Remember every provider is different, so what might be right for one company might not be the best solution for another. It can seem like a daunting process, but as long as you do your research then you’ll be on the right track!

1. If I have my sensitive data stored in the cloud, am I responsible if my cloud provider has a data breach?
   The short answer is yes you are.
   When you have sensitive data and are moving it into a cloud environment you are still ultimately responsible for protecting that data. This can be confusing because cloud vendors make a lot of statements about encryption and compliance, however you are responsible for your overall data protection strategy. Data security is a shared responsibility in the sense that it is the cloud providers network, datacenter, and hardware and you bring the applications, operating system, and data. You are fully responsible for that data. You are also responsible for making sure the cloud provider can back up their security claims by requiring to see specific written compliance reports such as a SOC 3 audit statement, annual security assessment, and a letter of attestation by a QSA auditor.
   

2. Which compliance regulations apply to my business?
   In addition to the 4 listed below, there are also many state laws and regulations that govern security best practices. It is your responsibility to know which ones apply to your company (and which ones apply to your cloud provider location).
   PCI Data Security Standard (PCI DSS) applies to anyone, public or private, who take credit cards for payment. Primary account numbers (PAN) are specifically addressed.
   HIPAA/HITECH Act requires the medical segment (and any business associate) provide data protection for protected health information (PHI) of patients.
   GLBA/FFIEC applies to the financial industry (bank, credit union, trading organization, credit reporting agency) for protecting all sensitive consumer information.
   Sarbanes-Oxley (SOX) applies to public traded companies for sensitive data of personally identifiable information (PII).
   In addition to these compliance regulations, the Cloud Security Alliance (CSA) has created the Cloud Controls Matrix (CCM) specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
   

3. What type of data will be stored in the cloud, and does it need to be encrypted?
   If you are storing any sensitive data (PAN, PII, or PHI) that information must be protected and will need to be encrypted both at-rest and in-transit. Sometimes your whole database must be encrypted, other times you can select to encrypt at the column level. Make sure options are available to cover all your critical information.
   

4. Who will have access to the encrypted data? Will my cloud service provider or other cloud tenants be able to access to my information?
   Only you should have access to your encrypted data and the encryption keys that protect it. In a multi-tenant environment like the cloud, it is even more important to control access. Depending on the value of the data that you store, and your risk tolerance, you may opt to use a virtual private cloud vs. a multi-tenancy cloud environment to store your most sensitive information.
   

5. Where should I store and manage my encryption keys?
   Always use an external Key Manager solution to create, store, manage, and properly rotate your encryption keys. Storing encryption keys in the same database as the encrypted data has always been something to avoid!  Moving your data to the cloud still allows you to choose where you store your encryption keys. Hardware Security Module (HSM), Cloud HSM, virtual appliance (VMware), private cloud instance… just as long as they are stored and managed away from the data they protect!
   

6. How much control do I retain over my encryption keys?
   With using an external encryption key management solution, you should retain complete control over your encryption keys.
   
   

   These next few questions are encryption & key management solution specific. So if you are comparing solutions be sure to ask each vendor!
   

7. Do Townsend Security solutions protect data at-rest or in-transit? What type of encryption is used?
   Yes.  We use industry standard AES Encryption to protect data-at-rest.  We also use 128-bit SSL encryption to protect data-in-transit.
   

8. Can Townsend Security solutions grow to meet my business needs? How scalable are the solutions, is there a limit to how many applications I can (connect)?
   Yes. We believe you should get a flexible solution that will be able to scale up as your business grows, and not have a limit on how many application connect to it!
   

9. Are Townsend Security solutions validated by the National Institute of Standards and Technology (NIST)?
   Yes. Our solutions are NIST validated and also FIPS 140-2 compliant.
   

10. Does Townsend Security Have a “Test Drive” Offering?
    Yes. We always offer a complimentary 30 day evaluation of all of our solutions. Providing a free trial allows you to fully test the concept first, which can help allay fears and and answer any questions before making a commitment. With cloud deployments, you may still need to pay for their implementation services associated with the evaluation period, but in the new world of cloud computing, it is important to look for proof points and results before you make your investment.

Data stored in the cloud can be as secure or accessible as you make it. It is up to each and every cloud user to assess their business risk and uphold an expected standard of security.

It is ultimately your responsibility to make sure your data security plan meets compliance regulations. Make sure you have a strong defense in depth strategy in place and are using industry standard encryption and proper key management to protect your data wherever it resides. Learn more by downloading our Resource Kit on Key Management in the Cloud:

Turn Your Nightmares into a Peaceful Night’s Sleep... Even When Your Sensitive Data is Stored in the Cloud

Compliance regulations and security best practices can be enough to make most developers lose some sleep at night, but when the subjects of encryption & key management in the cloud are brought up… it seems like many of those restless heads start to twitch with other worries as well. It goes beyond what types of data need to be encrypted… to concerns about choosing the right encryption algorithm and properly managing the encryption keys. One of the most reported concerns about encryption is the fear of losing the encryption keys.  If keys are lost, the data remains forever shrouded from view… not only for hackers, but for the you too! Here are three important encryption & key management topics, and three excellent resources that will help you rest easy!

#1 Understand the Importance of Encryption and Key Management

Encrypting your sensitive data is critical to meeting compliance regulations and protecting your organization (and your customers) in the event of a data breach. If you are looking for a non-technical overview, then I highly recommend our most recent eBook, “The Encryption Guide” which covers the importance of encryption as well as critical implementation information such as:

• When to use encryption
• What data you should encrypt
• Where you should encrypt that data
• Encryption best practices
  (and an excellent summary of compliance regulations)
• The importance of encryption key management

In order to have a successful encryption solution you must deploy industry standard encryption methodologies, proper encryption key management (NIST validated solutions), and follow administrative and technological best practices such as dual control and separation of duties.

#2 Learn How to Never Lose an Encryption Key

Industry expert, Patrick Townsend addresses the following four topics in greater depth in his blog article “Never Lose an Encryption Key in Windows Azure” and I hope you will check out what he has to say regarding how Alliance Key Manager running in Windows Azure protects you from this potential problem.

• Backup / Restore
  The first line of defense is always to have a backup of your encryption keys and key access policies. Alliance Key Manager provides you with an option to securely back up your encryption keys, security policies, and server settings and to move this backup out of Windows Azure to your own secure storage...
• Key and Policy Mirroring
  Alliance Key Manager supports Active-Active (real-time key and security policy) mirroring so that you will always have a full set of your encryption keys available to you even after a failover...
• Windows Azure Availability Sets
  This is a feature that helps you avoid unplanned outages due to failures of the cloud infrastructure or planned maintenance activities, providing one more way to get the best reliability for your key management infrastructure in the Windows Azure cloud...
• Mirroring Outside the Windows Azure Cloud
  Lastly, if you are still worried about losing your encryption keys, you can always mirror the keys to a key manager located outside the Windows Azure cloud. We have hardware, hosted, and cloud options for you to choose from!

#3 Know Your Compliance Regulations

Our website is a wealth of information on how encryption and key management meet compliance regulations, and it is frequently a topic in our blog articles!  Storing sensitive data in a multi-tenant environment comes with an additional set of concerns, so we suggest this Cloud Security Alliance (CSA) white paper Security Guidance for Critical Areas of Focus in Cloud Computing, v3 that focuses on the CSA guidance - Domain 11 - recommendations for encryption key management. Hardware and software redundancy insure that you will never lose encryption services or encryption keys. Reliability and redundancy is provided through:

• Dual RAID controlled disk drives and dual power supplies
• Real time, bi-directional key mirroring
• On demand and scheduled backups
• High availability hot failover
• Load balancing support

In the ever-changing, ever-evolving technical world that we live in, knowledge is power! Our goal is to constantly provide updated, educational content and the best solutions for protecting sensitive data with solid encryption & key management. So while you might be losing sleep over your plans for the summer, but you shouldn’t lose sleep over your encryption strategy!

Start sleeping better by downloading the Encryption Guide:

Townsend Security recently traveled down south to Austin, TX for the Drupal developer annual conference, DrupalCon 2014! In partnership with Cellar Door Media, Townsend Security recently released Key Connection for Drupal, the first encryption key management solution for Drupal. Key Connection for Drupal enables developers to use world NIST-validated AES encryption FIPS 140-2 compliant key management for data stored in Drupal.

At DrupalCon 2014 Townsend Security introduced our new Drupal Developer Program. The Drupal Developer Program puts encryption and key management in the hands of developers, free of charge, to implement and test.

Key Connection for Drupal
Key Connection for Drupal allows Drupal users to encrypt sensitive data and do it right. Historically, the Drupal encrypt module only allowed users to store encryption keys natively, or in other less secure ways. Key Connection for Drupal enables encryption keys to be stored off-site in a FIPS 140-2 compliant encryption key manager. Townsend Security’s Alliance Key Manager is available as an AWS, Microsoft Azure, or VMware instance; as a hosted appliance in the cloud; or as a physical HSM. Alliance Key Manager can also perform onboard encryption, meaning that developers can send sensitive data to the key manager to be encrypted with NIST validated AES encryption so that they can provably meet compliance regulations and their encryption keys never leave the key manager.

Developer Program
At Townsend Security, we know that encryption and encryption key management are critical to strong digital security and meeting several compliance regulations such as FISMA, PCI DSS, HIPAA, etc.  With Key Connection for Drupal we’ve made encrypting data and managing encryption keys easier than ever. We also know that for strong security to become ubiquitous, it must be easy to obtain and implement. That’s why we’ve begun a developer program that puts technology in the hands of the people who use it most. Drupal developers can now join our developer program, for no fee, and receive up to two free Alliance Key Manager licenses to test internally for non-production use. We hope that through the developer program we can help improve data security in Drupal and the community.

Community
Townsend Security firmly believes in giving back to the Drupal community. Through the Developer Program and our participation in the Drupal Association we hope to continue to bring strong security to the Drupal community as we move forward. To sign up for the Drupal Developer Program, contact us here. To learn more about Key Connection for Drupal, visit the Drupal.org project site here.

Securing data with encryption and protecting the encryption keys with proper key management is enforced by many compliance regulations (and recommended as a security best practice).

When working with private schools, colleges, and universities, Drupal developers who need to protect their customers’ sensitive data with encryption know important compliance elements include the following:

• Awareness of how records are managed by the institution.
  … (Do you know who will have access?)
• Awareness of relevant regulations/laws.
  … (Do you know what they need to follow?)
• Approach to complying with each item.
  … (Do you know what they should do to follow the law?)
• Management of institutional records.
  … (Do you know what they need to keep and for how long?)

It is important to remember when developing a higher education framework, the ultimate core of higher education is information. Each institution gathers, stores, analyzes, retrieves, and secures the information necessary for proper functioning. Without continued and uninterrupted access to that information, as well as assurances that the information is secure and reliable, they would be unable to fulfill their educational, research, and service missions.

For entities in the education sector, it is important to note that data security and IT solutions for colleges and universities also fall under some of the more familiar compliance regulations due to the various programs offered by each institution:

• PCI DSS will come into play with accepting payments from tuition, books, food services, and housing
• GLBA/FFIEC covers the student loan and financial offices at most institutions
• HIPAA/HITECH is also important to consider as most higher education institutions have their own health centers

Driven by student privacy concerns and the need to comply with regulations such as the Family Educational Rights and Privacy Act, educational institutions must also make sure to secure sensitive data and protect their networks from data loss even when that information must be shared.

Family Educational Rights and Privacy Act (FERPA)
Statute: 20 U.S.C. § 1232g Regulations: 34 CFR Part 99

The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to consent to the disclosure of personally identifiable information from education records, except as provided by law. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”).

The Higher Education Information Security Council (HEISC), actively develops and promotes awareness and understanding, effective practices and policies, and solutions for the protection of critical IT assets and infrastructures. HEISC also produces the Information Security Guide: Effective Practices and Solutions for Higher Education, an excellent resource for anyone involved in securing student information with encryption.

Drupal adoption in higher education has skyrocketed with over 71 of the top 100 US Universities and educators around the world publishing websites in Drupal. Arizona State University alone hosts over 800+ websites built in Drupal CMS!  To meet the growing need for NIST validated and FIPS 140-2 compliant encryption and key management, the data security experts at Townsend Security partnered with Chris Teizel, CEO of Cellar Door Media and Drupal developer to create the Key Connection plug-in for the Drupal Encrypt module. Key Connection for Drupal provides a secure key management system (Alliance Key Manager) outside of the Drupal installation in order to provide secure key storage and retrieval options. Now when personally identifiable information (PII) is collected or stored in a database it can easily be encrypted and the encryption keys properly managed. Key Connection for Drupal allows developers and users to choose whether they retrieve a key and encrypt/decrypt locally or to send the data to Alliance Key Manager to perform on board encryption.

For more information, download the Drupal Compliance Matrix:

In a business world that is moving more towards virtualization and cloud environments, the need for strong encryption and proper key management is critical. Due to all the recent and well-publicized data breaches, we all know about the ways your brand can be damaged if you don’t encrypt your data. Let’s look at the benefits of encryption, and three of the ways it can have a positive effect on your business.

Customer Confidence = Loyalty: When it all boils down, building trust in your business is what will make or break relationships with your customers, business partners, and potential investors.  After major retail breaches in 2013, a study conducted on 700 consumers showed that the three occurrences that have the greatest impact on brand reputation are data breaches, poor customer service, and environmental disasters. These three incidents were selected ahead of publicized lawsuits, government fines, and labor or union disputes. By being transparent about the ways that you will store and protect their sensitive data (required to operate your business) you will build a level of confidence and trust with your current and potential clients and customers. Using encryption to protect your customers sensitive information is the best way to keep any unauthorized user from successfully using the data if it is accessed. Properly deploying encryption, means you will be sure to use an encryption key manager that separates and securely stores the encryption keys away from the encrypted data. Let your clients know you take data security seriously, and let the would-be thieves know “move along, there is nothing to see here”!

Cloud = Cost Savings: Encryption can help your business move successfully to cloud and virtual environments. Because of the multi-tenant nature, cloud solutions can offer a significant cost savings to most organizations… but what about those other “tenants”, are they able to gain access to your information? What about the treasure trove of information that is attracting more and more hackers? Encryption can make it possible to leverage the benefits and cost savings of the cloud while ensuring the privacy of your sensitive data.

• By using encryption, you can make sure your information is secure when it is “at rest” or “in motion”.
• By properly handling encryption keys with an encryption key manager, you make sure you are the only one able to access your encryption keys.
• By keeping your encrypted data and your encryption keys in separate locations, you remain in control even when your data has left the building.

Customer Compliance = Competitive Advantage: Keeping data secure is the law for many commercial and private organizations. If any sensitive information is stolen or lost, your company may suffer some serious consequences, especially if that information is not encrypted. Using industry standard encryption also helps you meet various compliance regulations and data security standards. Depending on what industry your business is in, different regulations will come into play. As an example, all companies that take credit card payments fall under the Payment Card Industry Data Security Standard (PCI DSS). We all use credit cards and we want assurance that our information is safe. Would you shop online with a company that didn’t take measures to protect your account information?

If a data breach occurs and personally identifiable information is lost, the breached company must notify all their customers who are impacted. Did you know that there are data breach notification laws in 46 of the 50 states? Some regulations have a safe harbor clause, protecting companies from public notification if the stolen data is encrypted and if the encryption keys are not compromised. Along with the frequency, the cost of these breaches continues to escalate: The average cost to an organization for a data breach is up 15% with an average cost of 3.5 million dollars (2014 Ponemon Report). So using encryption to protect data and properly handling key management could save you millions of dollars in the event of a breach. Given the high cost of breach notification doesn't encryption just make sense?

Whether you choose a designated hardware security module (HSM), something designed specifically for virtualized environments (VMware), or data storage in the cloud, encryption and key management solutions can help you:

• Gain competitive advantage and build loyalty by protecting your customers data against access by unauthorized users
• Reduce hardware costs by leveraging virtual environments in the cloud
• Significantly improve your data security strategy while satisfying data compliance and privacy requirements

Overall, data encryption offers many benefits and provides solid protection against potential threats or theft. In addition to the many benefits, encryption is also efficient, easy to use, and affordable! Want to learn more about encryption? Download our eBook “The Encryption Guide”:

Securing data with encryption and protecting the encryption keys with proper key management is addressed in many compliance regulations and security best practices.  

For business owners, database administrators, or Drupal developers who need to protect their customers’ sensitive data with encryption; storing the encryption keys within the Drupal CMS puts that data at risk for a breach. Depending on your industry, different regulations and standards will require you to implement safeguards on some or all of the information contained within your applications.

The financial industry includes banks, credit unions, and other financial organizations, including venture capital firms, private equity firms, investment banks, global investment firms, bank holding companies, mutual funds, exchanges, brokerages, and bank technology service providers, among others. In order to meet compliance regulations, information security programs must be in place to ensure customer information is kept confidential and secure, protected against potential threats or hazards to personal information (cyber-attack, identity theft) and protected against unauthorized access to or use of a customer's personal information.

If you fall within the financial sector, the following will apply:

The Gramm-Leach-Bliley Act (GLBA) - 15 USC 6801 - of 1999 first established a requirement to protect consumer financial information.
TITLE 15 , CHAPTER 94 , SUBCHAPTER I , Sec. 6801. US CODE COLLECTION
Sec. 6801. - Protection of nonpublic personal information

(a) Privacy obligation policy

It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.

(b) Financial institutions safeguards

In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards.

The Federal Financial Institutions Examination Council (FFIEC) supports the GLBA mission by providing extensive, evolving guidelines for compliance and evaluating financial institutions. Financial services regulations on information security, initiated by the GLBA, require financial institutions in the United States to create an information security program to:

• Ensure the security and confidentiality of customer information
• Protect against any anticipated threats or hazards to the security or integrity of such information<
• Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer

Federal Reserve Board Regulations - 12 CFR - CHAPTER II - PART 208 - Appendix D-2
-- Interagency Guidelines Establishing Standards For Safeguarding Customer Information--

… III. Development and Implementation of Information Security Program
… C. Manage and Control Risk
Each bank shall:
… c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.

Enforcement of these financial industry compliance guidelines fall to five agencies: the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). In collaboration, these agencies have developed a series of handbooks that provide guidance, address significant technology changes and incorporate a risk-based approach for IT practices in the financial industry. The "Information Security Booklet" is one of several that comprise the FFIEC Information Technology Examination Handbooks, and references encryption in detail. (Resource Links listed below)

Summary: Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include:

• Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk
• Effective key management practices
• Robust reliability
• Appropriate protection of the encrypted communications endpoints

To meet the growing need for NIST validated and FIPS 140-2 compliant encryption and key management, the data security experts at Townsend Security partnered with Chris Teizel, CEO of Cellar Door Media and Drupal developer to create the Key Connection plug-in for the Drupal Encrypt module. Key Connection for Drupal provides a secure key management system (Alliance Key Manager) outside of the Drupal installation in order to provide secure key storage and retrieval options. Now when nonpublic personal information is collected or stored in a database it can easily be encrypted and the encryption keys properly managed. Key Connection for Drupal allows developers and users to choose whether they retrieve a key and encrypt/decrypt locally or to send the data to Alliance Key Manager to perform on board encryption.

For more information, download the Drupal Compliance Matrix:

Additional Resources:

Federal Financial Institutions Examination Council (FFIEC)

FFIEC Information Technology Examination Handbooks

Gramm-Leach-Bliley Act (GLBA)

Federal Reserve System (FRB)

Federal Deposit Insurance Corporation (FDIC)

National Credit Union Administration (NCUA)

Office of the Comptroller of the Currency (OCC)

Office of Thrift Supervision (OTS)

Roadmap to a Strong Encryption Solution

We live in the time of the data breach. Data privacy experts no longer consider a data breach a matter of “if”, but “when”. That’s why organizations are asking themselves: How do I protect myself? How do I find out what data I’m supposed to protect? For most businesses, they can find out what data they need to protect based on industry data security standards that they fall under. The technology those regulations require or recommend can be difficult to implement, however, especially encryption.

Townsend Security has just released a new eBook, “The Encryption Guide,” to help IT professionals and business leaders alike navigate the steps to implementing a successful encryption solution. This eBook answers both basic and more difficult questions about encryption such as:

• What is encryption
• When should I use encryption?
• What data should I encrypt?
• Where can I encrypt data?
• What are encryption best practices?

Check out the excerpt below from the introduction, and download the full eBook to get answers to these questions and more.

“Data security today is a major problem. Security professionals, administrators, and executives know this because highly publicized data breaches occur on what seems to be a monthly, if not weekly, basis, and lesser-publicized data breaches happen nearly every day. Loss of customer trust, huge payouts in fines, damage to reputation, and business leaders losing their jobs are just some of the consequences associated with a data breach.

Most high profile data breaches result in a lot of finger pointing with little discussion about what actually went wrong, and how other companies can prevent suffering a similar fate. Unfortunately, it is often revealed that some of the largest data breaches could have been prevented had the organization used proper encryption and encryption key management where it was needed.

Unencrypted sensitive data is a dangerous reality for most businesses. It’s an issue complicated by the fact that sensitive data is typically processed and stored in many disparate, fragmented locations so that administrators and business leaders alike aren’t certain where their data is, if they’re handling unknown sensitive data, which data should be encrypted, or know if their data is being encrypted at all.

In this eBook designed for IT administrators and executives, we will discuss how critical encryption is to your business continuity, how a solid encryption plan can help protect your business in the event of a data breach, and encryption best practices that will ensure your data security plan is effective and defensible, and keep you and your customers safe.”

Today, cloud resellers need to know that companies searching for a cloud provider to host their information technology have several good options. Microsoft Azure and Amazon Web Services (AWS) are two popular and trustworthy cloud platforms, and there are many other smaller cloud and private cloud platforms that can meet specific technological needs. However, when moving to the cloud, organizations must also consider the security options provided by that cloud service in order to address their own concerns about data security. This can be an issue for cloud resellers whose customers need good security in order to move to the cloud.

Finding good security on a cloud platform can be difficult when cloud security seems to be far more expensive than the cloud solution itself. Many companies need to encrypt sensitive data such as cardholder data, protected health information (PHI), and other personally identifiable information (PII), as well as manage their own encryption keys to meet compliance regulations.

This is why third-party cloud encryption and key management solutions are becoming more and more popular with cloud resellers who need to provide their customers easy and cost-effective encryption and key management. Third-party security can help a company choose the cloud provider they want without having to compromise their data security due to cost.

Cloud resellers for Azure, AWS, and other cloud providers should consider these concerns their customers’ may have about data security on cloud platforms:

1. Multi-Tenancy

Since it is shared by many users, the cloud is inherently less secure than a hardware solution. Cloud solutions utilize shared resources such as disk space and RAM, which is why the cloud is much less expensive than purchasing your own hardware; however, this means you have less control over who has access to your data. This is why encryption is critical to organizations who are storing sensitive data in the cloud.

2. Standards-Based Encryption

Many organizations attempt “in-house” or do-it-yourself encryption in an attempt to avoid difficult or costly third-party encryption solutions. However, these DIY projects tend to be difficult and rarely result in strong, defensible security. They can lead to huge problems down the road, especially when it comes to meeting compliance regulations, and it is common for these solutions to fail data security audits.

One major reason a DIY approach to encryption often fails is a lack of strong cryptography and and encryption key management. The management and documentation of encryption key lifecycle, rotation, creation, and deletion is mandated by many regulations such as the Payment Card Industry Data Security Standards (PCI DSS). Anyone handling sensitive data must meet specific encryption and key management requirements set forth by the industry or government regulations they fall under.

For these reasons, most organizations chose a certified third-party encryption and key management vendor to help them meet compliance as well as centralize and streamline the encryption and key management of all of their sensitive data in the cloud.

3. Encryption Key Management

Encryption key management is a major concern for cloud users. Even if their cloud vendor offers a native encryption option, how that vendor manages encryption keys can be a barrier for organizations who need to manage their own encryption keys in order to meet compliance. In accordance with many compliance regulations, businesses must document how they manage their encryption keys away from their encrypted data. This can be very difficult if your encryption keys are being stored in the cloud and accessible by the cloud provider. Some cloud providers offer encryption key management; however, they do so at a cost that makes using the cloud an unattractive choice. Cloud resellers must be aware that this, too, can be a barrier to cloud adoption.

Cloud resellers need to know that security is a barrier for many companies who wish to move to the cloud. Building a toolbox of certified cloud encryption vendors can help them win these customers and gain new revenue.

To learn more about encryption key management for the cloud, view our webinar, “Encryption & Key Management Everywhere Your Data Is,” featuring data privacy expert Patrick Townsend.

Securing data with encryption and protecting the encryption keys with proper key management is addressed in many compliance regulations and security best practices.

For Drupal developers who need to protect sensitive data in their (or their clients) content management system (CMS), storing the encryption keys within the Drupal CMS puts that data at risk for a breach. Security best practices and PCI DSS compliance regulations call for sensitive data to be protected with encryption and that data-encrypting keys (DEK) be physically or logically separated from the sensitive data and protected with strong key-encrypting keys (KEK).  Depending on what type of information is being stored and what industry guidance your project/company falls under, compliance regulations in addition to PCI DSS may apply.

For any company that accepts credit card payments, the Payment Card Industry Data Security Standards (PCI DSS) issues 12 requirements that must be met in order to be compliant. It can seem overwhelming at first, but the PCI council that issues PCI DSS also provides detailed reference guides and instructions on each requirement. Let’s take a high level look at all twelve items:

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do Not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data*
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that address information security for all personnel

Within the latest documentation by the PCI Security Standards Council (v3.0 released November 2013) specific testing procedures and guidance is given for Requirement 3 on pages 34-43. The PCI Security Standards Council (PCI SSC) website contains this documentation along with a number of additional resources to assist organizations with their PCI DSS assessments and validations. PCI SSC also issues Cloud Computing Guidelines and additional information around virtualization of data protection solutions so you can be PCI compliant with a cloud-based solution for encryption and key management.

Requirement 3 addresses the need for encryption and key management, stating:

“Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.”

In order to address PCI DSS Requirement 3: Protect stored cardholder data; the security experts at Townsend Security partnered with Chris Teitzel, CEO of Cellar Door Media and Drupal developer to create Key Connection for Drupal in connection with the existing Drupal Encrypt module. In order to provide secure key storage and retrieval options, Key Connection for Drupal provides a secure key management system (Alliance Key Manager) outside of the Drupal installation. Now when cardholder information is collected or stored in a database it can easily be encrypted and the encryption keys properly managed. Key Connection for Drupal allows developers and users to choose whether they need to retrieve a key and encrypt/decrypt locally or to send the data to Alliance Key Manager to perform on board encryption.

Other compliance requirements for protecting information go beyond cardholder data (PCI focuses on PAN or the Primary Account Number specifically) and also require that personally identifiable information (PII) such as names, birthdates, email address, zip codes, usernames, or passwords be protected with encryption and key management. Check back as future blogs will cover additional data privacy compliance regulations and security best practices that impact developers and users of the Drupal CMS open source platform in regards to protected health information (PHI).

For more information on PCI Compliance, download the Whitepaper: "Meet the Challenges of PCI Compliance"

In light of the recent, massive Target data breach, and the fact that Target had passed a PCI DSS audit yet lacked proper security controls, many organizations are searching for stronger data security. Using encryption to protect sensitive data should be considered a top priority for organizations that want to protect themselves from a potential data breach. Strong, defensible encryption used in conjunction with strong key management and a system logging solution can enable a business to catch a breach in real time when it happens, and know that any sensitive data that has been accessed is undecipherable by the attacker. Even with sophisticated and expensive malware detection software, the only way to secure the breach and avoid breach notification is with encryption and encryption key management.

Few organizations are aware of the extreme criticality of encryption and key management, and for the ones that are aware, many still consider encryption a last-effort solution and grapple with its reputation for being difficult and costly. Encryption and encryption key management can be difficult and costly; however, it doesn’t need to be. Different encryption key management vendors offer varying features and applications as well as pricing structures, and finding a solution that can integrate easily into your IT infrastructure is an achievable task. The key is to look for specific features that increase ease of use while decreasing costs.

1. Easy to use client side applications - A security expert and developer once said to me, “People say a lot of things aren’t ‘rocket science,’ but encryption key management is like ‘rocket science’. This is why businesses very rarely develop their own encryption and key management solutions internally. How easy an encryption key management vendor makes their solution to use is a major factor of a purchasing decision. If encryption is going to become as widely used as it needs to be, the client-side applications that manage encryption keys must be usable and intuitive to the average security administrator.
2. Scalable pricing structure - Scalability results in affordability. Not every company can invest in millions of dollars of malware detection and security consultants, and we’ve found out that the companies who can afford those services still have data breaches. Data breaches don’t discriminate, which is why encryption and key management solutions must be affordable for organizations, regardless of size. Five years ago, the only encryption key management solutions available were very expensive hardware solutions. Many vendors charge extra fees per network connection, which is neither an easy or scalable solution for companies that are growing. These hardware security modules (HSMs) are still widely used and preferred by businesses with a low tolerance for security risk, but many are turning to newer cloud solutions that offer the same certified technology with a lower price tag.
3. Cloud compatibility - Moving applications and data centers to the cloud is a natural step for organizations attempting to consolidate their IT infrastructures and lower operational costs. Security, however, remains the number one concerned for the cloud--a multi-tenant environment that shares resources with other users. Encryption and key management is essential to protecting any sensitive data processed or stored cloud applications or databases, and cloud-based or hosted solutions are readily available. Just remember that your key management solution must be FIPS 140-2 compliant and not share services with other users in order to be compliant with most data security regulations.

Encryption and encryption key management are essential, proactive technologies that help organizations remain intact in the event of a data breach. Look for these three features in a certified solution to protect yourself and your customers.

Townsend Security’s FIPS 140-2 compliant “one-click” ready-to-use key management solutions enable cloud users to easily protect their data in the cloud or data center at an affordable price. Learn more by viewing the webinar, “Encryption & Key Management Everywhere Your Data Is,” featuring data security expert Patrick Townsend.