Townsend Security Data Privacy Blog

VMware and SQL Server Encryption

Posted by Michelle Larson on Dec 12, 2014 9:38:00 AM

Questions and Answers on Encryption and Key Management Projects

VMware® is hands-down the virtualization choice of large and small organizations, and it is easy to see why. Not only is it a highly reliable and scalable platform, VMware also provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines.

Earlier this month, Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data on Microsoft SQL Server in VMware environments, steps to encrypting data on SQL Server (with and without TDE), as well as talk about Townsend Security’s Alliance Key Manager for VMware. Here are a few highlights (download the podcast for the whole conversation): Podcast: VMware and SQL Server Encryption

Paul Taylor: We’ve talked about the Townsend Security encryption and key management solutions for VMware. Today let’s put the focus on Microsoft SQL Server and encryption in the VMware customer environment. Can you give us an overview of how VMware customers can protect data in SQL Server databases?

Patrick Townsend: Just to recap, we really need two things to get encryption right: A key management solution to protect the critical encryption keys, and an encryption solution for the SQL Server database. And they have to talk to each other.

For the first part, our Alliance Key Manager for VMware solution provides a fully functional, enterprise key management solution that protects SQL Server databases as well as other databases and other operating systems.

For encrypting SQL Server, our Alliance Key Manager solution comes with a full Microsoft SQL Server Extensible Key Management Provider. We call this Key Connection for SQL Server and it is one of the modules that our key management customers receive without paying additional license fees. Key Connection for SQL Server provides the encryption and integration with our key server to provide a complete, end-to-end solution for encrypting data in the SQL Server database.

Paul Taylor: Can you talk a little about how Microsoft enables encryption in SQL Server?

Patrick Townsend: If you are running SQL Server Enterprise Edition or higher, you have access to Microsoft’s automatic, full database encryption facility called Transparent Data Encryption, or TDE. You also have access to Microsoft’s automatic, column level encryption facility which Microsoft calls Cell Level Encryption. Both of these options, TDE and Cell Level Encryption,  are implemented without any programming work at all. And both are fully supported by Alliance Key Manager and the Key Connection for SQL Server software from Townsend Security.

Paul Taylor: What about Microsoft customers who aren’t using the Enterprise Edition of SQL Server? Can they encrypt their data with the Townsend Security solution?

Patrick Townsend:  With SQL Server Standard and Web Editions we provide two paths to encrypt data. The first is to use SQL Views and Triggers along with our .NET DLL to provide automatic encryption without any changes to applications. And the second path is to modify your C# or Java applications to use our .NET DLL to perform encryption at the application level.

Both approaches leverage our Microsoft .NET DLLs to perform encryption with integrated key management. Both are very simple to implement. And there are no additional license fees to deploy and use our Microsoft .NET DLLs to accomplish this.

Paul Taylor: So, walk me through the steps for encrypting data in my SQL Server Enterprise Edition database. How difficult is it?

Patrick Townsend: Encrypting data in Enterprise SQL Server is really very easy. The first step is to install our Alliance Key Manager for VMware solution. It launches like any other virtual machine using the normal VMware applications and you can have a key management solution up and running very quickly.

The second step is to install the Key Connection for SQL Server application on the virtual machine running SQL Server in Windows. This is a normal install process with an MSI file. You answer some questions, install a certificate and private key in the Windows Certificate Store, and run a handful of commands to start SQL Server TDE encryption or Cell Level Encryption. You also restart the log file to be sure that it is encrypted as well. That’s about it.

Of course, you will want to follow the instructions on how to set up a high availability key server, and point your Key Connection for SQL Server configuration to it as failover. That is a normal configuration process and also very easy to do. We find that VMware customers can deploy SQL Server encryption very quickly.

Paul and Patrick also cover which versions of SQL Server are supported, the availability of Alliance Key Manager in other platforms (hint: it’s quite versatile), and our 30-day evaluation program (you can do a full proof-of-concept in your own environment at no charge). Be sure to download the podcast to hear the rest of their conversation:

Podcast: VMware and SQL Server Encryption

Topics: Data Security, Encryption, Security Insider Podcast, Encryption Key Management, VMware, SQL Server

Encryption and Key Management for VMware®

Posted by Michelle Larson on Dec 10, 2014 12:32:00 PM

Questions and Answers on VMware Encryption Projects

Every business is trying to save money and reduce complexity in their IT departments, and many are accomplishing this today by using virtual machines such as VMware®. While these businesses’ infrastructures are becoming virtual, their security threats are still very much real.

Recently Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data in VMware, encryption performance, and special encryption and key management concerns for VMware users.  Here are a few highlights (download the podcast for the whole conversation): Podcast: Protecting Data with Encryption in VMware

Paul Taylor: As VMware customers start to work on encryption projects to protect sensitive data, what are the things they worry about? What concerns them?

Patrick Townsend: VMware customers have made a large investment in VMware technologies. This includes, but is not limited to, an investment in the VMware solution stack that lets them run a variety of virtual machines; administer those machines, monitor the health of the virtual environment, and secure the entire infrastructure of virtual machines and VMware itself.

VMware customers also have invested heavily in the talent needed to run a VMware data center, have adopted governance and risk management procedures specific to a VMware environment, and have invested heavily in migrating existing applications to this platform. It’s a large investment but the payoffs are substantial.

So, when approaching an encryption project the VMware customer really wants to deploy products and solutions that run naturally in VMware. It is painful and concerning to have to deploy solutions that don’t fit naturally.

Paul Taylor: I know that Townsend Security has encryption and key management solutions for VMware customers. Can you talk a little about those?

Patrick Townsend: For any encryption project there are really two major components:

    1. The encryption of the sensitive data, usually in a Windows or Linux virtual machine
    2. The protection of the encryption keys

An effective strategy in the VMware environment has to address both of these. I think we are doing this very well with our encryption solutions for VMware.

First, our Alliance Key Manager for VMware product provides for the creation, management, and protection of encryption keys in a VMware virtual machine. It runs the same FIPS 140-2 compliant key management solution that we offer in our Hardware Security Modules (HSMs). So VMware customers can get encryption key management right without having to go outside of their VMware infrastructure.

Second, all of our encryption solutions that are deployed to protect sensitive data run in the VMware platform and talk to our key manager. For example, you can deploy our SQL Server Transparent Data Encryption solution for automatic SQL Server encryption in a Windows Server virtual machine, and it will talk naturally to our key management server also running in a VMware virtual machine. It’s a perfect match for the VMware customer.

Paul Taylor:  Encryption has a reputation for being the hardest part of security. How do you address that concern?

Patrick Townsend: Yes, you are certainly right about encryption having a reputation for being hard and expensive to deploy. However, things are really different today. I’ll give you a couple of examples:

First, our VMware key management solution will soon be released as a ready-to-use key manager. This means that the first time you boot our Alliance Key Manager For VMware solution it will ask you a few questions, create a complete configuration for the key manager, and start the service. You literally have a functioning key server in a few seconds. What 5 years ago required multiple engineers and weeks of installation and configuration now gets done in a blink.

Secondly, our client-side encryption applications and SDKs are also designed for rapid deployment. For example, SQL Server Transparent Data Encryption also deploys through a standard Windows install process. Again, you answer a few questions, install credentials into the Windows Certificate store, run a handful of SQL Server commands, and you are fully protected with encryption. It is incredibly easy.

Paul Taylor:  I think everyone worries about performance when you talk about encryption. How well do your encryption solutions perform in VMware?

Patrick Townsend: Performance impacts are a natural thing to worry about. Encryption is a CPU intensive task, and it will have some effect on your application or database. Fortunately modern encryption libraries are very efficient and the impact is usually very modest. Back to our example about SQL Server TDE encryption, the average customer will experience about a 2% to 4% impact when activating TDE encryption. This is very manageable. Large SQL Server databases can pose a performance issue with TDE which is why we also support Cell Level encryption with SQL Server.

We always encourage our customers to try our encryption solutions before they make a full commitment. We make it very easy to do a proof-of-concept project with encryption. Our free evaluations let you take it for a spin and evaluate the impacts yourself.

Paul and Patrick also cover topics on high availability, business recovery, and compliance regulation concerns for protecting data in a VMware environment.  Be sure to download the podcast to hear the rest of their conversation:

Podcast: Protecting Data with Encryption in VMware
 

Topics: Data Security, Encryption, Security Insider Podcast, Encryption Key Management, Podcast

Encryption Key Management Guidelines- How to do Encryption Right!

Posted by Michelle Larson on Oct 21, 2013 8:00:00 AM

Data protection is only as secure as you make it!

As more companies begin to move data to the cloud, protection of encryption keys become an even more important part of an overall data protection strategy. Three core information security components, becoming better known as the “CIA Triad”, are important elements in a solid data security policy. These core components in the triad are:

CIA Triad

Confidentiality:

  • Confidentiality has to do with encrypting data in applications and databases, protecting it from people who should not be seeing that data or accessing it, whether that's in your IT data center or in a cloud environment or in virtualized applications.

Integrity:

  • You have integrity of the encryption key management process itself with connections to the key management HSM to authenticate and retrieve keys or perform on-device encryption operations. Integrity is accomplished through public ­key infrastructure (PKI) mechanisms.

Availability:

  • Availability is a crucial component especially with encryption key management systems which are mission ­critical applications. You need redundancy both at the hardware and software level with proper application mirroring and database mirroring in place. You should ensure back­ups take place at an appropriate interval and that recovery operations are also tested on a regular basis.

These components are achieved with a solid key management solution and the proper managing of the actual encryption keys.  The Key Management administrator is responsible for performing a number of functions that must be done, and done properly to meet compliance regulations. The administrator must also follow industry best practices in order to accomplish true encryption key management for their organization and the data they need to protect.  

The Encryption Key Life Cycle

One of the first functions the Key Management administrator performs is the actual creation and management of the encryption keys through a key lifecycle. The keys are generated and stored in a secure fashion and then go through the full cycle depicted here to become active, go into use, expire, retire (post-activation), and then be backed up in escrow, and then deleted (the “destruction” phase). Encryption Key Life Cycle This lifecycle is defined by the National Institute of Standards and Technology (NIST) and also requires that a crypto period be defined for each key.  A crypto period is the length of time that a key should be used and is determined by a number of factors based on how much data is being protected and how sensitive that data is. While NIST has defined and provided some parameters on how to establish crypto periods (see special publications 800-57 - there are 3 parts) and provided guidance on best practices. Each Key Management administrator needs to determine how long a particular encryption key should be actively used before it is rotated or retired.  

These are a few of the factors that go into establishing the crypto period for a key (which maybe a few days or weeks or longer up to one or two years it really depends on the data that you're trying to protect):

  • How is the data being used
  • How much data is there
  • How sensitive is the data
  • How much damage will be done when the data is exposed or the keys are lost


Auditing and Access Controls

Auditing and active monitoring of critical key management systems is a fundamental security concept for protecting critical assets like data in a key management solution.  The Key Management administrator also needs to implement access controls to be sure that only the users and applications who should be accessing encryption keys are actually doing so.  A general practice of separating encrypting keys across different departments or applications should be in place. For example, you may need to protect employee data in your HR system using an encryption key, but you wouldn’t want to use that same encryption key to protect sales data or where you might have credit cards. You need to segment the usage of encryption keys to particular data so that employees in HR are accessing HR data using one key and salespeople can access sales data using a different key.

For more information, security expert Patrick Townsend goes into greater depth in his latest podcast: Guidelines for Effective Encryption Key Management.  He covers how implementing procedural mechanisms like dual control and separation of duties will help ensure your organization is implementing best security practices. Patrick also outlines fundamental components of a strong defense-in-depth approach to data security and how encryption and key management can protect your enterprise. I encourage you to download the 20 minute podcast!

Guidelines for Effective Encryption Key Management

Topics: Security Insider Podcast, CIA Triad, Encryption Key Management

Must-Haves in an Encryption Key Manager

Posted by Michelle Larson on Sep 26, 2013 2:15:00 PM

Just because data is encrypted, doesn’t necessarily mean it is safe...

(Based on the latest Security Insider” Podcast Edition with Paul Taylor)

The good news is that encryption key management and data security have come a long way within the past few years. Organizations no longer have to continue to maintain current patchwork methods, because now there are affordable, available, and interoperable solutions that can easily solve their problems. Key Management Must Haves Podcast Encryption and encryption key management are now industry standard and work across both legacy and newer business systems, multi-platform and multi-tenant networks, remote access workstations, geographical offices, data centers and third party business partners.

Now your risk management approach can go beyond compliance considerations and really focus on protection of your customers personal data and also your business information (and reputation).  Encryption and key management can now be a main security control for your organization, rather than a compensating control that is performed only in cases where other controls fail.  We have to always remember data gets out, and instead of using encryption as a last resort in a defense and depth strategy, it needs to be the fundamental consideration towards protecting your most important resources.  Along with that approach is what we believe is the most important consideration and a basic tenant in a strong encryption key management program: securely separate the data being encrypted from the keys performing that data encryption.  Even if someone gets unauthorized access to your data, they can’t read it when it is encrypted. An encryption key manager  enables a secure channel between the encryption keys and wherever that data may reside. Technology has evolved to enable stronger management so that companies will no longer be leaving their encryption keys under the front door mat, so to speak.

Principles of effective key management include being able to streamline and securely manage encryption keys across different systems and multiple locations, including virtual machines or applications in the cloud. There has to be the ability, first and foremost, to readily manage the encryption keys through the entire key lifecycle. It is essential for an encryption key manager to enable dual control and separation of duties to effectively create, activate, delete, expire, retire and perform additional key controls including key escrow. Separating encryption keys from encrypted data, whether to an internal or external business partner or cloud based services is so important and often overlooked as a high risk to the organization.  Despite really good controls and really talented security personnel, there are still people with hostile intent who will design malicious code to go out there and capture and replay credentials. That’s why managing encryption keys separate from the systems where the data resides is so critical, and why managing your encryption keys to third parties and cloud environments is now a recognized industry standard practice with very real benefits.

“Must-haves” when evaluating an effective key management solution:

  • Alignment with evolving NIST and FIPS guidance
  • A solution that’s affordable and easily deployed
  • A key manager that distributes encryption keys across all platforms
  • An implementation with known costs  - meaning no endpoint licensing fees or additional professional service fees.
  • Trusted transparency with a security partner
     

Must Haves in an Encryption Key Manager


Townsend Security’s Encryption Key Manager

We proud to be leading the industry in encryption key best practices and we want to make data security affordable and straightforward for every-size company to encrypt their most important data. No one knows the challenges of connecting and protecting business applications and architecture better than Townsend Security. Our mission is to make industry leading key management affordable and deployable to everybody. Our goal is to enable strong, affordable, easy to deploy encryption key management, no matter your industry or company size.  We are tried, tested, and trusted technology based on proven, reliable standards that’s also highly affordable, FIPS 140-2 compliant, top-rated in customer support and deployable in physical, hosted, and virtual environments with no hidden costs, no end point licensing fees with flexible pricing options available that can be either a perpetual or monthly subscription.


Topics: Alliance Key Manager, Security Insider Podcast, Encryption Key Management

Securing Data in Motion with PGP Encryption

Posted by Michelle Larson on Aug 28, 2013 3:22:00 PM

In their latest podcast, Paul Taylor with Security Insider Podcast Edition and Patrick Townsend, CTO of Townsend Security discuss using PGP encryption to secure data in motion for meeting compliance regulations, the OpenPGP standard, the differences between Open and Commercial PGP solutions, and ways to automate your managed file transfers on the IBM i. Podcast: PGP Encryption on the IBM i

PGP stands for “Pretty Good Privacy”, and it’s an encryption solution that originally started in the 1990s. Over 20 years ago, Phil Zimmerman and a group of developers decided to produce secure file encryption technology and felt that PGP should be used everywhere to protect data-in-motion, both for individuals and for companies who need to transfer data across networks. Originally, Phil Zimmerman’s development team offered a free, open-source version of PGP. Over the years, ownership of PGP was transferred from Network Associates to McAfee, and is now owned and commercially licensed by Symantec.  Throughout that development, Townsend Security has helped to bring this important encryption technology to IBM enterprise platforms. We have partnered with Symantec to offer the only commercial version of PGP Command Line on the IBM i.

In their podcast, Paul and Patrick discuss the OpenPGP standard and the two solution versions of PGP, Open and Commercial, and the confusion around them. OpenPGP is a standard (RFC 4880 & RFC 2440), not software, and that standard covers what an Open PGP solution is and should do. There are multiple open source editions for software, available from a number of different organizations, that should meet the OpenPGP standard.

The commercial version from Symantec was created and continues to be advanced by the original PGP developers. It conforms to the OpenPGP standard, and it adds additional functions that are important to enterprise customers.

For example:

    • Additional decryption key support (the ability to encrypt a file for multiple recipients)

If you need to send and recover an encrypted file to yourself for due diligence, your ability to recover that encrypted file through additional decryption key support becomes an important regulatory component.

    • Self-decrypting archives (the ability to encrypt data and send it to almost anyone for processing)

You can create an encrypted file on your system, even on IBM z mainframe or IBM i platform that can be decrypted as an executable on a Mac system, a Windows PC, or even a Linux box.

    • Support for X.509 Certificates, external key management protocols, and the ability to actually store encryption keys on an external server.

With the Commercial PGP product comes full support for OpenPGP standard, as well as these additional features, which really make a difference for enterprise businesses. When you base your company reputation on something mission-critical like PGP encryption, you deserve the comfort of knowing that there’s a support team there ready to stand behind you.

“Pretty Good Privacy” is well recognized and accepted across a broad number of compliance regulations as a secure way to protect sensitive data as it is in transit to your trading partners. PGP encryption helps businesses meet PCI DSS by encrypting credit card numbers and other PII as required by HIPAA/HITECH Act, Sarbanes-Oxley, and FISMA compliance regulations.

Listen to the podcast for more in-depth information and a discussion on how PGP meets compliance regulations with it’s NIST certifications, and how Townsend Security, the only Symantec partner on the IBM i or AS/400 platform as well as the IBM z platform providing PGP Command Line 9, can help IBM i users with PGP!

  DOWNLOAD THE PODCAST: PGP Encryption on the IBM i

If you have topics you would like to hear discussed in future podcasts, please email them to us at podcast@townsendsecurity.com or post your comments here in the blog!

 

Topics: PGP Encryption, Security Insider Podcast, PGP