Townsend Security Data Privacy Blog

Encryption and Key Management - The SIX Mistakes that Startups and ISVs Make and How To Avoid Them

Posted by Patrick Townsend on Apr 18, 2019 1:27:59 PM

In our practice here at Townsend Security we engage with a lot of startups and mature ISVs who are trying to grow their business and customer base, leverage their technologies into new opportunities, and grow or migrate to the cloud. We know how difficult it is to start and grow a company, and what a wide set of business challenges have to be overcome. Our hats are off to every entrepreneur who has created a successful company, and every ISV who has kept it going!

Designing Applications with Encryption and Key Management I want to share a few thoughts on some pitfalls that can damage your ability to grow your company with a focus on the encryption of sensitive data. Too many promising companies flounder because of poor security implementations, and failing to get encryption right can lead to lost opportunities - maybe even the loss of that breakout sale you need to land a global company. Some early thought and planning about data security can help you weather your migration up the food chain and avoid such losses.

Number 1: Failure to encrypt sensitive data

The single biggest failure of data security is not doing it at all. Even in this age of massive public data breaches, and the damage that they do to companies of all sizes, most startups and ISVs are not implementing encryption of sensitive data. When product managers and developers work on their next big idea, they focus on exciting features in their product and often ignore the work it takes to implement encryption. They instead rely on access control lists and other mechanisms to protect data. These are, of course, important things to do. But the failure to encrypt sensitive data leaves a big hole in your security strategy.

What can go wrong if you haven’t implemented encryption? LOTS !!!

  • The publicity around a data breach can tarnish your reputation and kill opportunities.
  • The lack of encryption may cause compliance regulation failures making it impossible to enter new markets.
  • You may not be able to pass a security review of your software by that large global Enterprise.
  • You may not be able to enter government channels where encryption is a mandate.
  • If your customer experiences a data breach you may encounter substantial litigation costs that damage your financial resources and delay critical development.
  • You may fail to secure that next round of funding when an investor discovers the security gaps in your product.

When these kinds of events damage your ability to grow your company, it can be hard to mitigate them in a timely fashion. And you often won’t know about these dangers until you get fairly far down the road with your business plan.

Number 2: Failure to get key management right

For startups and ISVs who DO understand the need for encryption of sensitive data, the next biggest pitfall is the failure to protect encryption keys properly. Almost every database that supports encryption also supports the ability to protect the database encryption keys with a key manager. But that doesn’t mean that good key management is the default! In most cases the default database key management option is to store the encryption keys on the same server as the sensitive data. Sometimes the database will even store the encryption key locally and in the clear! So getting encryption key management right is critical to your security strategy. It won’t help to have encryption of your data enabled, and then have a cybercriminal steal your data along with the encryption key.

Related to key management here are some things to look for when you consider databases for your application:

  • Does your database have built-in encryption? Relying on third-party encryption solutions at the file/folder level will certainly cause deployment and scalability problems.
  • Does your database support integration with third-party key managers? If there is no easy way to integrate proper key management into the database, this will also cause deployment and technology delays.
  • Does your database support open standards for key management? For example, the Key Management Interoperability Protocol (KMIP) defines how applications like databases can easily integrate a key manager.
  • Does your database support key management failover? Remember that protecting encryption keys with a key manager also brings along the question of high availability and failover.

HINT:

If you are a startup be sure to choose a database that supports built-in encryption and proper key management. You have lots of good choices in both commercial and open source solutions. So go with a database with native, built-in encryption and key management!

Number 3: Failure to get FIPS 140-2 right

There are important standards and certifications for key management solutions. The most important of these is the National Institute of Standards and Technology’s (NIST) FIPS 140-2 standard. In addition to being a published standard, there is also a validation process for key management systems. The standard, and the validation to that standard, are critically important to your data security strategy. All professional key management solutions have been validated to the FIPS 140-2 standard and you should be sure to deploy a validated key management solution. This will help you avoid failing a security audit by that important new customer!

In addition to ensuring that your key manager is validated to FIPS 140-2, be sure that the entire key management solution is validated. There are many cases where the encryption library alone is validated to FIPS 140-2, but the key management application is not. It is good to have validated encryption, but that is just the start! Encryption key management has its own validation points and you will need both.

Snake Oil Alert !!!

Unfortunately, there are some key management solutions that make unwarranted claims about FIPS 140-2 compliance and validation. Here are a few warning signs to look for when you evaluate a key management solution:

  • A vendor makes compliance claims, but there is no validation. Some vendors claim to be “FIPS 140-2 compliant” but in fact have never completed a FIPS 140-2 validation. Security is hard, and unsubstantiated claims should be a red flag.
  • A vendor claims FIPS 140-2 compliance, but the validation is “in process”, but not complete. A security product can be “in process” for many months or even years. A claim of FIPS 140-2 compliance without actual completion should also be a red flag.
  • A vendor makes some claims of FIPS 140-2 validation, but research shows that the key management solution was not validated by that vendor.
  • A vendor makes a claim of FIPS 140-2 compliance, but the solution is only compliant when backed by a third party validated key management solution. In this case the vendor solution itself is not validated, but relies on the validation of another solution. You may be fooled into thinking that the solution itself is compliant when it is not. Especially watch for this pitfall with open source solutions.

You can always check a vendor’s claims of FIPS 140-2 compliance. Ask for the NIST FIPS 140-2 certificate number, and then Google it. NIST makes the validation certificate available to the public on their website. Copy and paste this into Google search:

NIST FIPS 140-2 certificate number 1449

That was easy!

Number 4:  Failure to make encryption and key management easy and invisible

Now that you are on the road to getting encryption and key management right, it is important to also make it easy and invisible. Your customers have a lot on their agendas, and becoming a key management expert is probably not one of them. So even if you follow the above advice and implement encryption and key management, do your customers a favor and make key management easy. The best way to do this is to bundle a key management solution into your product, and make key management automatic. You can still enable the configuration of an external key management system (some customers will want this), but you can really make it easy for most of your customers if you automate the key management tasks.

Automating key management is a great competitive advantage! One of our partners in the archival and backup space implemented this strategy and make great competitive wins on this feature alone! Their message was simple:

“We have encryption and key management. It is FIPS 140-2 validated. It is completely automatic so you don’t have to spend time fiddling around with a complex key management system.”

This strategy won them a lot of competitive deals and it was easy to talk about - and it shortened the sales cycle.  Of course, be sure that your key management solution supports this type of integration and automation!

Number 5:  Failure to segment customer data

As you move to the cloud and create shared, multi-tenant SaaS solutions, be sure to plan for and architect data segmentation into your solution. You will encounter large customers who will not want to have their data in the same space as other customers. They will want the additional security of segmenting their data into a virtual private cloud. With planning, your technical team can meet this kind of requirement, and help you close that very large deal.

Of course, a data segmentation plan requires a key management segmentation plan. For the same reasons customers want to segment their data, they don’t want to share key management with other customers. And they want to maintain full control of the key management implementation. So be sure to plan for customer-specific deployments of encryption key management and failover key management servers. A properly implemented data and key management segmentation plan will even allow for on-premise deployments that are “cloud ready.”

Number 6:  Failure to develop new market opportunities

Think about Amazon (the company) for a moment. At one point in their history they were an online bookstore. Today the company is very different. Amazon first leveraged its technologies to sell all kinds of products, and then created Amazon Web Services (AWS) to enable all of us to benefit from cloud technologies.

Are you thinking like Amazon? If not, you might be missing some big opportunities. Now that you have secure applications, are there lateral opportunities or technology licensing opportunities available to you? When you approach new opportunities and partners, don’t be afraid to talk about security. Regardless of what you’ve heard:

SECURITY SELLS!

Developing Applications with Encryption & Key Management

Topics: Encryption, Encryption Key Management, ISV, Partner

Payment Applications Can Secure Data Breaches with Key Management

Posted by Liz Townsend on Jul 17, 2013 1:29:00 PM

Overcoming Critical Security Issues Payment Application eBook If you’re an independent software vendor (ISV) who sells payment applications to retailers, what does it mean when your payment application meets PCI standards, but doesn’t actually protect your customers? A lot of people out there, especially consumers, wouldn’t even think the security of the software that handles their credit card data is an issue. Many people don’t realize that there’s a huge problem with data security in point-of-sale (POS) and retail software applications. However, time and time again we see major data breaches occurring through cash register systems that process credit card data, which invariably means that those systems aren’t adequately protecting consumer data.

The problem with data security in payment applications arises when retail ISVs and POS vendors certify their payment applications with the Payment Card Industry Security Standards Council (PCI-SSC). The PCI-SSC requires that these businesses use strong encryption and encryption key management in their payment applications. Although most payment application vendors incorporate encryption and encryption key management into their solutions, many of them do it poorly, skating by with the minimum requirements. In the end, their applications pass certifications but would not protect their customers--or themselves--in the event of a data breach.

And data breaches are happening every day! Today data breaches are considered a matter of “when,” not “if.” It is almost a certainty that it is only a matter of time before a data breach affects one of your customers.

Unfortunately, encryption and encryption key management are complicated tools for ISVs to build on their own--in fact, doing a “home grown” encryption project is almost never recommended by encryption experts. Because many ISVs don’t have the resources to create their own encryption and encryption key management, Townsend Security offers an encryption key management solution that retail ISVs and POS vendors can integrate into their applications to provide their customers with industry standard, certified data security solutions.

We recently published an eBook titled, “Overcoming Critical Security Issues - a Guide to Proper Encryption Key Management,” for POS vendors and Retail ISVs. Read an excerpt written by Townsend Security Founder and CEO Patrick Townsend and download the eBook now:

Average cost of a data breach“Merchants are very worried about data breaches and the potential effect of a breach on their business. The average data breach costs a company $5.5 million, which includes the cost of fines as well as the costs associated with lost business, litigation, and brand damage. A successful exploit of poor data security can destroy years of work building brand reputation. Smaller businesses may never fully recover from a well-publicized data breach. Payment application vendors with poor encryption and key management are subjecting not only their customers to these risks, but themselves as well.”

Good encryption and key management for credit card numbers will also give payment application vendors an advantage over their competitors. PCI standards are not set in stone; data security is constantly evolving to meet new challenges and threats. CEOs and Product Managers in the payment application industry should be having a high-level discussion about data security. Now is the time to move to a second generation data security strategy for protecting customer credit card information. You need a solution that doesn’t just look good on paper, but will protect you and your customers in the event of a breach.”

To read more, download the eBook now.

eBook: Overcoming  Critical Security Issues

Topics: Payment Applications, Retail ISV, ISV

How Do You Plan to Overcome Critical Security Issues?

Posted by Michelle Larson on Jul 10, 2013 10:55:00 AM

Four steps to better encryption key management in the retail environment

When the PCI Security Standards Council released the Payment Application Data Security Standard (PA-DSS) in 2008, the security of payment applications took a big leap forward. Today, All retail ISVs providing payment applications must certify their products with PA-DSS (which requires encryption and encryption key management for applications that process credit card data). Merchants expect this level of certification in payment applications they use, and their customers expect personal information to be secured.

Yet time and time again we see news reports about retailers experiencing data breaches through their payment application software. These breaches tell us that PA-DSS certifications alone don’t always equal good security.  

Here are four steps you can take on the road to better security:

1 ) Be Aware of Security Issues

In the rush to meet PA-DSS requirements for credit card encryption, many payment applications incorporated just enough technology to pass the certification requirements around encryption of sensitive data, but not enough to stay current with encryption key management best practices.

Do your payment applications incorporate critical components of encryption key management including:

  • Tested and certified encryption key generation techniques
  • Physical and logical protection of data encryption keys (DEK)
  • Protection of data encryption keys by key encryption keys (KEK)
  • Proper management of the life-cycle of encryption keys
  • Certification of key management solutions to international 
standards such as NIST, FIPS 140-2, and KMIP

2) Use Security Best Practices

In order to protect customers from data breaches and prepare for evolving compliance requirements, retail ISVs should strive to meet these encryption and key management best practices:

  • Use Strong Encryption
    The Advanced Encryption Standard (AES) is the standard when it comes to data encryption. AES has been adopted as a standard by the US government and is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations.
  • Use Key Management Best Practices
    Your encryption is only as good as how well you protect the encryption keys. Encryption keys should be secured away from the encrypted data using an external piece of hardware such as a hardware security module (HSM).
  • Use Certified Solutions
    Always use NIST validated AES encryption and FIPS 140-2 certified encryption key management. These certifications ensure that their key management has been tested by a third-party against government standards and will stand up to scrutiny in the event of a breach.

3) Pick Your Partners Wisely

Townsend Security has redefined what it means to partner with a security company:

Partnership with Townsend Security
  • With our NIST validated and FIPS 140-2 certified encryption and encryption key management solutions, retail ISVs can offer their customers easy, affordable, and powerful data security.
  • Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. You focus on what you do best, and we’ll help you turn encryption and encryption key management into a revenue generating option to help build your business and protect your valued customers.
  • We have more than 20 years of experience supplying encryption and key management solutions to over 3,000 companies worldwide.
  • We help our customers achieve data privacy compliance at an affordable price and with a personalized touch.

4) Download the eBook “Overcoming Critical Security Issues”

This eBook resource is designed to give you the tools and information needed to have a high-level discussion about data security in your company. Click the button below to request your complimentary download!

eBook: Overcoming  Critical Security Issues

Topics: Best Practices, Encryption Key Management, partners, ISV

The Right Data Security Partner Can Make a Difference!

Posted by Michelle Larson on Jun 10, 2013 11:03:00 AM

ISV Executives Can Improve their Payment Applications with the Right Encryption and Key Management Partner

Your company competes against many other ISVs selling niche retail management software and payment applications. You need a strong partner to guarantee you are providing the best encryption and key management to your customers.
Data Security and Key Management Because when payment applications don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave your customers extremely vulnerable to data breaches.

At Townsend Security, we offer industry standard AES encryption and certified key management and we believe that good encryption and key management is the cornerstone of good security.  Here are three ways we believe a good partner should help ease the burden of data security:

1. Reduced Cost and Complexity          

I know... you are thinking “Key management is both costly and difficult” - while that reputation was accurate ten years ago, today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help you by offering encryption key management that is quick and easy to deploy, has a cost effective licensing model, and we will even OEM or “white label” for you because we don’t believe issues around branding should get in the way of good data security.

Podcast on how retail ISV's can improve data security2. Provide Certified Solutions

We believe that data security should be constantly evolving to meet the challenges of new security threats. Retail ISVs and payment application software companies need to know that although their solution may have earned a PA-DSS certification, these standards, like all PCI standards, are not set in stone. Just because a solution has been certified once, outdated encryption and key management practices might not suffice during the next certification process. Since encryption and key management are necessary components of payment application systems, providing customers with third party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give an ISV some critical advantages.

Townsend Security not only supplies NIST and FIPS 140-2 certified encryption and key management, we'll help you achieve your own FIPS certification under our OEM program. In order to confidently protect your customers, NIST and FIPS certifications ensure that encryption key management has been tested against government standards and will protect compromised data in the event of a breach.

3. Protect Your Customers

While many payment applications have a PA-DSS certification, in order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and data in transit using industry best practices. Data security must be a critical element in your risk management plan and conveyed well to your customers.

With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Townsend security has redefined what it means to partner with a security company. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model.  So when (not if) your customer experiences a data breach, and you have implemented adequate security that renders the compromised data unreadable, you will not only be your customer’s hero, but your own company’s hero as well.

In this complimentary podcast, security expert Patrick Townsend discusses How Retail ISVs Can Improve Their Payment Applications” with Paul Taylor from Security Insider.
 

Download Podcast  


As always, we welcome your comments and questions! 

Topics: Payment Applications, Point of Sale (POS), Encryption Key Management, partners, ISV

4 Critical Issues for ISVs Trying to Protect PHI and Meet HITECH Act

Posted by Luke Probasco on Feb 9, 2012 9:45:00 AM

Critical Issues for ISVs

HITECH ISV White Paper

Download the white paper "Healthcare ISVs: Critical Issues in Meeting HITECH Data Protection Regulations."

Click Here to Download Now

As we move closer to the finalized rules for HITECH data protection, some things are now becoming very clear.  The government wants ISVs and service providers to offer encryption of data at rest to their customers, and they want covered entities to use it!  While a careful read of the regulations reveals that they do not mandate encryption, the guidance makes clear that encryption is the ONLY safe harbor from breach notification.  Your customers will interpret this as a mandate, and will start demanding encryption in your products and service solutions.  We are already starting to see this happen.

Healthcare ISVs face some really big challenges as they start to move into the unfamiliar territory of encryption and key management.  Here are four critical issues you will face as you start down the path to securing your data at rest with strong encryption:

1)    The Big Challenge is Encryption Key Management

Encryption itself is not really the biggest technical challenge facing ISVs as they start to encrypt data in their application databases.  Most operating systems, databases, and programming languages offer encryption libraries that you can use right off the shelf.  For example, Microsoft provides encryption libraries in SQL server and the .NET language.  Oracle offers similar support for encryption in their database.  The really big challenge is encryption key management.  Encryption keys are the secrets that must be protected.  Key management systems create, store, and protect keys from loss, and this will be the hardest thing to get right.

2)    NIST & FIPS Certification

The HITECH guidance is full of references to the National Institute of standards and Technology (NIST) for encryption standards and best practices.  Advanced Encryption standard (AES) is the recommended technology for encryption.  And the NIST recommendations for key management are the gold standard for key management solutions.  Serious key management vendors submit their solutions to NIST for certification under the FIPS 140 protocol, and these vendors are easy to locate on the NIST web site.

3)    Getting Encryption and Key Management Right

You will be tempted to push the responsibility for encryption and key management to an outside vendor.  If it is really hard to do, why not let someone else do the job? You can refer your customers to the vendor for the solution, and the vendor can do the work of getting the database encrypted.  It seems easy.  Until you discover that your customers are not going to distinguish between your vendor and you when problems happen!  You will be ultimately responsible for any problems with data protection.

4)    The Right Partnership

Many ISVs discover that finding the right partner for encryption key management solutions is the biggest hidden challenge in their projects. Not only is the technology very specialized, there are a small number of vendors who offer FIPS 140 certified solutions.  You have to offer solutions to your customers that are easy to deploy and meet your product pricing objectives.  What if you need a customized key management solution?  Are there any vendors who are willing to help you with these requirements?  Finding the right partner is as important as finding the right technology.

Visit our ISV Partner Program page for more information on becoming a partner or download our white paper titled Healthcare ISVs: Critical Issues in Meeting HITECH Data Protection Regulations.

Click me

Topics: HITECH, Encryption Key Management, ISV