Townsend Security Data Privacy Blog

Key Connection - The First Drupal Encryption Key Management Module

Posted by Michelle Larson on Feb 21, 2014 3:38:00 PM

Securing Sensitive Data in Drupal made possible through partnerships!

The Drupal content management system may have started-out in a dorm room, but it has become a very successful open source platform that is being adopted at the Enterprise level. Drupal is running everything from small business websites, universities, robust e-commerce environments, Fortune 100 sites, to projects like WhiteHouse.gov! As Drupal developers build out these large-scale installations, the need to keep them secure becomes more apparent due to the volume of information being collected. Sensitive data such as credit card numbers and protected health information (PHI) fall under industry data security regulations such as PCI-DSS and HIPAA/HITECH and must be encrypted. Requirements for protecting information go beyond just credit card numbers & expiration dates, but includes names, email addresses, ZIP codes, usernames, passwords… any stored data that can personally identify an individual.

Securing Sensitive Data in Drupal Drupal developers and users who need to protect sensitive data know that storing encryption keys within the content management system puts data at risk for a breach, yet storing encryption keys locally in either a file protected on the server, in the database, or in the Drupal settings file has been the norm. None of these methods meet data security best practices or compliance regulations such as PCI DSS, HIPAA/HITECH, or state privacy laws.

While additional compliance regulations may apply depending on industry, this is a basic list of good practical guidance around web-based and virtual environments:

The Drupal community collaborates to develop modules for the platform, sharing knowledge, experience, and creativity. The developers try to avoid duplicate functionality, so the existing Drupal Encrypt module was used as the first step to protecting sensitive data, however the plug-ins for the Encrypt module did not provide secure key retrieval options as the encryption keys were all still found within that same server. Security best practices tell us that personally identifiable information needs to be protected with industry standard AES encryption and that protecting the encryption key away from the data is critical. It became apparent that a key management system that was outside of the Drupal installation was required.

Working together to solve the Drupal data security problem, the security experts at Townsend Security and Drupal developers at Cellar Door Media have released the Key Connection for Drupal solution, which addresses the need for strong encryption and encryption key management within the Drupal framework. Now personally identifiable information collected during e-commerce checkouts and user account that contain names and e-mail addresses can be easily encrypted, and the encryption keys properly managed, by organizations that collect and store that sensitive information.

Drupal developers and Drupal users share a concern about multiple compliance requirements and the liability that goes along with being audited for correctly protecting personally identifiable information. When designing an environment, there is a need to know what methods of encryption you are using, that the encryption key management is implemented correctly, and how secure will the data collection and storage processes be. The Key Connection for Drupal module allows designers to either retrieve a key and encrypt locally, or send the data to Alliance Key Manager (AKM) to perform on board encryption. They have the choice to use the Alliance Key Manager strictly as a key manager, or they can use it as an encryption service as well.

A few benefits of this new Key Connection for Drupal module are:

  • Access to remote key retrieval
  • NIST compliant on-board encryption
  • Encrypting data locally in your database
  • Using a built-in function to allow for PCI compliant encryption to be done off the web server

To learn more, I encourage you to listen to this special podcast to hear Chris Teitzel; CEO of Cellar Door Media, Rick Hawkins; owner of Alchemy Web Solutions, and Patrick Townsend; CEO of Townsend Security, talk about encrypting sensitive data in Drupal. They will also discuss how a Drupal site builder or developer gets access to Key Connection for Drupal, the Alliance Key Manager, and what options are available.

Securing Sensitive Data in Drupal with Key Connection for Drupal module

Topics: Data Security, Key Connection for Drupal, Encryption Key Management, Podcast, partners

Why Partner With Townsend Security?

Posted by Liz Townsend on Dec 2, 2013 4:11:00 PM

What Should You Look for in a Strong Technology Partner?

Encryption key management partnershipWhat does a strong technology partnership look like? One of the biggest challenges growing businesses face is bringing on new partners and building relationships that are built on solid people and products. Business executives are fearful, and rightly so, that any new technology partner may pose a huge risk to their own company. Any partnership is a basic agreement based on the trust that a partner’s product is good, will not fail, and will be market available in the long run. Most executives have experienced that trust being broken.

In a recent video with Townsend Security CEO Patrick Townsend and Mark Foege, Business Development Consultant and Principal at the Colvos Group, both Mr. Townsend and Mr. Foege outlined the importance of building strong technology partnerships for success, and what to look for in a partner.

According to Patrick Townsend, "Getting partnerships right is difficult. You really need someone who’s going to behave like a partner and not an adversary. It seems obvious, but in fact it’s very difficult to accomplish in most technology environments.”

One example Mr. Townsend gave was for an OEM partner. If a company integrates a partner’s product into their own technology, and that partner hasn’t built the product well, doesn’t provide solid back end support, or if their company folds and the product is no longer available, then the partnership can become toxic and unsustainable. 

Mark Foege reiterated that strategic successful partnerships are built on three core components:

  • Powerful solutions
  • Minimized cost
  • Minimized complexity

These components ensure that the product will not only be affordable and easy to use by end users, but the products will be powerful, and by integrating or selling them a business will be able to grow new revenue.

At the end of the day, a business only wants to partner with a technology company that has a good reputation. Mr. Foege recounted, “I was recently speaking with one of our partners, and I had asked them, what’s important to them when they partner with somebody. He said, my reputation is only as good as the reputation of those that I partner with, and that’s why they were excited to partner with Townsend Security. We realize that everything we do impacts the reputation of our partners. That’s why it’s important to us to provide solid, high value products, to make sure we are offering consistently first class support, and we work with our partners to make sure that their customers are completely delighted."

When it come to encryption and encryption key management, having a strong, trustworthy partner is critical to your success in providing strong data security to your customers. Encrypting sensitive data is easier than ever, and protecting encryption keys is easier today as well; however, providing these solutions without thorough back end support from your encryption key management vendor can be disastrous. That’s why Townsend Security provides extensive support, knowledge, and training to all of our partners as well as marketing materials, encryption libraries, and many other resources to make offering encryption a painless task. 

To learn more about Townsend Security partnerships, watch the full video below or visit out partner page.

Topics: partners, OEM

How Do You Plan to Overcome Critical Security Issues?

Posted by Michelle Larson on Jul 10, 2013 10:55:00 AM

Four steps to better encryption key management in the retail environment

When the PCI Security Standards Council released the Payment Application Data Security Standard (PA-DSS) in 2008, the security of payment applications took a big leap forward. Today, All retail ISVs providing payment applications must certify their products with PA-DSS (which requires encryption and encryption key management for applications that process credit card data). Merchants expect this level of certification in payment applications they use, and their customers expect personal information to be secured.

Yet time and time again we see news reports about retailers experiencing data breaches through their payment application software. These breaches tell us that PA-DSS certifications alone don’t always equal good security.  

Here are four steps you can take on the road to better security:

1 ) Be Aware of Security Issues

In the rush to meet PA-DSS requirements for credit card encryption, many payment applications incorporated just enough technology to pass the certification requirements around encryption of sensitive data, but not enough to stay current with encryption key management best practices.

Do your payment applications incorporate critical components of encryption key management including:

  • Tested and certified encryption key generation techniques
  • Physical and logical protection of data encryption keys (DEK)
  • Protection of data encryption keys by key encryption keys (KEK)
  • Proper management of the life-cycle of encryption keys
  • Certification of key management solutions to international 
standards such as NIST, FIPS 140-2, and KMIP

2) Use Security Best Practices

In order to protect customers from data breaches and prepare for evolving compliance requirements, retail ISVs should strive to meet these encryption and key management best practices:

  • Use Strong Encryption
    The Advanced Encryption Standard (AES) is the standard when it comes to data encryption. AES has been adopted as a standard by the US government and is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations.
  • Use Key Management Best Practices
    Your encryption is only as good as how well you protect the encryption keys. Encryption keys should be secured away from the encrypted data using an external piece of hardware such as a hardware security module (HSM).
  • Use Certified Solutions
    Always use NIST validated AES encryption and FIPS 140-2 certified encryption key management. These certifications ensure that their key management has been tested by a third-party against government standards and will stand up to scrutiny in the event of a breach.

3) Pick Your Partners Wisely

Townsend Security has redefined what it means to partner with a security company:

Partnership with Townsend Security
  • With our NIST validated and FIPS 140-2 certified encryption and encryption key management solutions, retail ISVs can offer their customers easy, affordable, and powerful data security.
  • Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. You focus on what you do best, and we’ll help you turn encryption and encryption key management into a revenue generating option to help build your business and protect your valued customers.
  • We have more than 20 years of experience supplying encryption and key management solutions to over 3,000 companies worldwide.
  • We help our customers achieve data privacy compliance at an affordable price and with a personalized touch.

4) Download the eBook “Overcoming Critical Security Issues”

This eBook resource is designed to give you the tools and information needed to have a high-level discussion about data security in your company. Click the button below to request your complimentary download!

eBook: Overcoming  Critical Security Issues

Topics: Best Practices, Encryption Key Management, partners, ISV

3 Ways An Encryption Key Management Partner Will Make Your Life Easier

Posted by Liz Townsend on Jul 5, 2013 7:30:00 AM

If your company is an ISV, VAR, or OEM providing software or hardware to businesses who must meet data security compliance regulations (PCI, HIPAA/HITECH, GLBA/FFIEC, etc.), finding the right technology partners to offer your customers the best security available can be a difficult task.

eBook - Encryption Key Management Simplified

Technology partnerships have a reputation for being difficult and risky. Legal agreements, licensing models, and product performance are just a few examples of serious barriers. Unfortunately in today’s technology climate, there are many examples of technology partnerships that have reinforced this reputation.

When it comes to protecting sensitive information and meeting security compliance regulations, we don’t believe anything should get in the way of offering your customers the best data security tools available. Townsend Security helps businesses of all sizes protect sensitive data with powerful encryption and encryption key management that not only helps companies meet compliance requirements, but will protect them in the event of a data breach.

Here’s how Townsend Security makes partnering with a technology company easier than ever:

  1. Reduced Complexity to Lower Costs - Your technology partner’s product shouldn’t be so complicated that it takes outside consultants, drawn-out projects, and extra time and money to implement. In our eyes, a good partner works hard to make sure their product integrates seamlessly into your existing technology infrastructure. Townsend Security is able to accomplish this quickly and at a lower cost by having the capacity and functionality to specialize our solutions to meet our partners’ needs. We also ease the burden of implementation by providing our customers with a simple and cost-effective licensing model.
  2. Provide Powerful Products - With the staggering number of data breaches that happen every month, there is no excuse to using sub-standard encryption to protect sensitive data. Many companies try to cut corners or meet the minimum standard by using “home-grown” encryption and key management or cheap solutions that don’t adequately protect data. However, when businesses use these solutions, many end up having to re-do their encryption and key management projects in order to comply with data security regulations (which are always becoming more stringent), or even worse, they experience a data breach and realize they can no longer skate by with weak data security. Townsend Security offers powerful, NIST-certified encryption and FIPS 140-2 encryption key management for all legacy platforms and the cloud to help you exceed standards and prevent data loss.
  3. oem security partnerExcellent Back End Support - When it comes to back end support, the people you deal with on a day-to-day basis can make or break a partnership. Townsend Security works closely with our partners to ensure their success. We provide our partners with training, marketing materials, OEM options, as well as easy and cost effective licensing models to get our powerful solutions protecting your customers as soon as possible.

At the end of the day, the technology partner you choose should leverage your existing solutions by making them more powerful. It’s easy to secure data poorly, and it can be difficult to do it well, but Townsend Security has developed and scaled our encryption and encryption key management to eliminate the pains and obstacles of doing data security the right way.

Download eBooK: "Encryption Key Management Simplified"

Topics: Data Privacy, Encryption Key Management, partners, OEM

The Right Data Security Partner Can Make a Difference!

Posted by Michelle Larson on Jun 10, 2013 11:03:00 AM

ISV Executives Can Improve their Payment Applications with the Right Encryption and Key Management Partner

Your company competes against many other ISVs selling niche retail management software and payment applications. You need a strong partner to guarantee you are providing the best encryption and key management to your customers.
Data Security and Key Management Because when payment applications don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave your customers extremely vulnerable to data breaches.

At Townsend Security, we offer industry standard AES encryption and certified key management and we believe that good encryption and key management is the cornerstone of good security.  Here are three ways we believe a good partner should help ease the burden of data security:

1. Reduced Cost and Complexity          

I know... you are thinking “Key management is both costly and difficult” - while that reputation was accurate ten years ago, today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help you by offering encryption key management that is quick and easy to deploy, has a cost effective licensing model, and we will even OEM or “white label” for you because we don’t believe issues around branding should get in the way of good data security.

Podcast on how retail ISV's can improve data security2. Provide Certified Solutions

We believe that data security should be constantly evolving to meet the challenges of new security threats. Retail ISVs and payment application software companies need to know that although their solution may have earned a PA-DSS certification, these standards, like all PCI standards, are not set in stone. Just because a solution has been certified once, outdated encryption and key management practices might not suffice during the next certification process. Since encryption and key management are necessary components of payment application systems, providing customers with third party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give an ISV some critical advantages.

Townsend Security not only supplies NIST and FIPS 140-2 certified encryption and key management, we'll help you achieve your own FIPS certification under our OEM program. In order to confidently protect your customers, NIST and FIPS certifications ensure that encryption key management has been tested against government standards and will protect compromised data in the event of a breach.

3. Protect Your Customers

While many payment applications have a PA-DSS certification, in order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and data in transit using industry best practices. Data security must be a critical element in your risk management plan and conveyed well to your customers.

With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Townsend security has redefined what it means to partner with a security company. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model.  So when (not if) your customer experiences a data breach, and you have implemented adequate security that renders the compromised data unreadable, you will not only be your customer’s hero, but your own company’s hero as well.

In this complimentary podcast, security expert Patrick Townsend discusses How Retail ISVs Can Improve Their Payment Applications” with Paul Taylor from Security Insider.
 

Download Podcast  


As always, we welcome your comments and questions! 

Topics: Payment Applications, Point of Sale (POS), Encryption Key Management, partners, ISV