Townsend Security Data Privacy Blog

Should Solution Providers Offer Encryption Key Management?

Posted by Luke Probasco on Apr 18, 2013 4:36:00 PM

Like any business, for a solution provider to succeed they must meet the evolving needs of their customers.  In the IT world, we all know that data management is one of the most important, complex, and fast growing needs of businesses. From disk backups to managed hosting and cloud services, solution providers are moving towards offering more of these services and at lower costs. Unfortunately, with the amount of data storage and management growing at an exponential rate every year, a major need of most businesses that goes overlooked is data security.

Encryption Key Management Simplified

Today almost every business must adhere to data security regulations set forth by industry standards groups. In retail, these standards are Payment Card Industry Data Security Standards (PCI-DSS). In the medical vertical, HIPAA/HITECH Act mandates the protection of sensitive patient data. Other regulations such as SOX, FISMA, and GLBA/FFIEC cover most other entities. All of these regulations mandate or recommend the use of AES encryption and encryption key management.

We would all like to think that IT directors and executives of every business adhere to these standards and recommendations and choose solution providers that provide them with encryption key management. However, as we witness easily preventable data breaches every week in the news, we know that this is simply not true.  

What IT executives and solution providers don't seem to realize yet is that in the event of a major data breach, at least two parties will take the fall: The IT executive and the solution provider(s).

Take for example the Utah Department of Health data breach that occurred in March of last year. This highly publicized breach was caused by a hacker who accessed 280,000 social security numbers as well as other private health information (PHI) and personally identifiable information (PII) such as birth dates, home addresses, and taxpayer ID numbers.

This attack was considered easily preventable.

How are these kinds of attacks easily preventable? When encryption and key management best practices are used, this kind of data is rendered totally unusable by hackers. That's why encryption and key management are considered the highest standard of data security and why they are mandated by industry regulations such as PCI-DSS and GLBA/FFIEC. If AES standard encryption and encryption key management best practices were used in Utah's Department of Health IT center, it is unlikely that the data breach would have occurred.

In the end, Utah's CTO was pushed to resign and the technology used to process data totally overhauled.

Unfortunately, companies in general are pretty confused about when, where, and how to encrypt sensitive data, even though both encryption and encryption key management are recommended, if not mandated, by most industry regulations. Worst of all, many companies who know they should be encrypting their data don't do it because of budget (a direct indicator of priorities)! This results in a LOT of unprotected sensitive data.

Ultimately, consumers assume that the businesses they patron are protecting their personal data, but the truth is, not all of them are!

The threat of data breaches and cyber attacks is not going away. In fact, these events are increasing every year. Solution providers offering data management tools to companies in retail, healthcare, finance/banking, and many other industries should absolutely be offering their customers encryption and encryption key management. Several solution providers currently offering encryption and encryption key management are already at a competitive advantage to providers that don't.

To learn more about how easy encryption key management can be, download the podcast, “Simplifying Encryption and Key Management: Removing Complexity and Cost” featuring data privacy expert Patrick Townsend.

Topics: Data Privacy, Solution Integrators/Providers

Which Data Security Conversation are You Having with Your Customers?

Posted by Mark Foege on Feb 25, 2013 9:20:00 AM

Webinar: Encryption and Key Management Simplified - Removing Complexity and Cost

encryption key management simplified

View our Webinar "Encryption and Key Management Simplified - Removing Complexity and Cost"

Click Here to View Webinar Now

I was recently speaking with a technology value added reseller (VAR). When I asked how often he spoke with his customers about data protection, he answered “All the time!” When I pressed for what he actually talked about, he explained, “I talk about the best ways to keep intruders out of their systems.” By this, he was referring to anti-virus software, firewalls and VPNs; not surprisingly, things he had become quite proficient at selling over the last number of years.

“So, what happens when somebody gets in anyway”, I asked. He looked at me with a blank stare. He had only been having part of the full conversation around enterprise data security.

Although keeping individuals, or groups, with malicious intent out of your network is an important part of protecting your data, it is far from being the whole story. Intrusion Prevention is only one of the three legs to the data protection stool. The other two legs are Network Monitoring and Encryption. It takes all three of these to truly protect any company’s data. If any one of them is missing, the stool simply falls over.

Sadly, most companies learn about their own data breaches only after being told by a partner, vendor or customer. A recent study shows that 69% of data breaches could have been detected before any data was lost if proper system logging was in place. Knowing what is going on within your systems is important to tracking, and taking steps to neutralize, malicious activities. A number of solid and affordable solutions are available for security information and event management. These include LogRhythm, Dell SecureWorks, McAfee Enterprise Security Manager and others. You can’t fix what you don’t know about, and if you’re not actively monitoring your systems, you may be blissfully, but dangerously, unaware.

But ultimately, it’s not about “if” someone will get access to your data, but “when” they will. That means it’s vitally important to make sure they only get their hands on useless data when they do. Using NIST-certified AES encryption along with a FIPS 140-2 certified key management system is the best way to avoid costly fines and notification requirements in the case of a data breach. When that data is lost or stolen, correctly implemented encryption assures that it is nothing more than a bunch of random 1’s and 0’s. Townsend Security’s Alliance Key Manager is an affordable and reliable solution for your customer’s needs in this area.

If you sold your customer a firewall and anti-virus software, but they still experienced a data breach, would they thank you for what you did, or be upset you didn’t do more? I’m guessing the latter.

So the next time you talk to your customer about data protection, remember to have the whole conversation. Make sure you include all three legs of the data protection tool: Network Monitoring, Encryption AND Intrusion Prevention.

Webinar: Encryption & Key Management Simplified

Topics: Data Privacy, Solution Integrators/Providers

Should Solution Integrators (SIs) Offer Encryption Key Management?

Posted by Liz Townsend on Feb 13, 2013 8:25:00 AM

Download Podcast: Benefits of Automatic Encryption

university encryption

Listen to our podcast to learn how easy it is to use FIELDPROC for automatic encryption.

Click Here to Listen Now

When a solution integrator assesses a company's IT and data security needs, most solution integrators know that almost every single business will need to meet at least one set of data security compliance regulations. If it's a retail business, they'll need to meet PCI-DSS. If it's a bank or financial company, they'll need to meet FFIEC and GLBA. If the company is a healthcare organization, they'll need to meet the data security requirements of HIPAA-HITECH. 

All of these regulations require that entities protect their sensitive data. From names and addresses to credit card and protected health information, these regulations say that the only way to truly secure this data is with encryption--not just firewalls and strong passwords--but with AES encryption. Even more importantly, most industry regulations and laws state that if a company is using encryption and proper encryption key management, should that company have a data breach, they don't always have to report it.

Do you think the companies who had major data breaches last year wish they had known that little fact? We're guessing, yes. 

Unfortunately, there's a lot of false information out there about encryption and encryption key management. A common misconception is that hackers can break encryption. The truth is, hackers don't break encryption, they find the encryption keys. How do they find the keys? If the keys are stored on the same device that the encrypted data is stored on, or the keys are stored in an unsecured location that the hacker gets access to, once the hacker has the keys, he or she can "unlock" the encrypted data. 

It's a little bit like taping your house key to your front door and hoping that a thief won't find it there. It's wishful thinking. 

That's why encryption is considered only half of a solution. All companies encrypting data also must implement good encryption key management. 

Of course solution integrators want to know how offering their customers encryption key management services can grow their business. There's actually still a lot of hesitation around encryption key management as a service because managing keys was once a very difficult and costly thing to do. It even had a reputation for causing severe performance impacts on a network. Maybe that was true 10 years ago, but today encryption and key management technology is: 

  • Easier than ever to implement on legacy platforms such as IBM i and Microsoft SQL Server 

  • Cost effective

  • Has very little impact on performance. 

That’s why offering encryption key management to your customers is always a good idea. Offering these technologies will not only grow your business. Encryption key management service will protect your customers and help them meet compliance (which they’ll be thankful for).

Townsend Security is a Microsoft Silver Partner and an Advanced partner with IBM, providing the only FIPS 140-2 certified key management solution for Pureflex. Want to learn more about encryption and key management for IBM platforms? Download the podcast on automatic encryption for IBM i below!

Listen to Podcast

Topics: IBM i, Encryption Key Management, Solution Integrators/Providers

11 Things Solution Integrators (SIs) Need in a Key Management Partner

Posted by Luke Probasco on Feb 5, 2013 1:29:00 PM

AES Encryption & Related Concepts

AES White Paper

Download the white paper "AES Encryption & Related Concepts"

Click Here to Download Now

Today, nearly every business needs to meet at least one set of data security compliance regulations, if not more. Regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC recommend if not outright require companies collecting sensitive data to secure that data using encryption and encryption key management. Most solution integrators are aware of this, but they may not know what to look for in a third party key management vendor to partner with.

The key management vendor you chose to partner with should provide you with all services you need to integrate key management into your solution easily. If you're a solution integrator, a third party key management vendor should provide you with:

  1. Technology. Does your key management partner provide you with all of adequate hardware, software, encryption libraries, and tools you need to easily deploy encryption and key management on your customers' networks?

  1. Certifications. Certifications are crucial to meeting government and industry data security requirements. Is your key management partner’s solution FIPS 140-2 certified? What is the certificate number? Do they use NIST-certified AES encryption?

  1. Training. Does your partner provide you with adequate training to tools such as walk-through instruction and training videos to help you implement encryption key management with ease?

  1. Platform Compatibility. Does your partner support all of your customers' legacy platforms such as IBM, Microsoft, or Oracle, including newer and older versions?

  1. Client Side Support. Does your partner supply you with all of the sample code, binary libraries, applications, key retrieval and other tools you need to implement encryption and key management fast and easily? Do they charge client-side licenses? (Note: Townsend Security never charges for client-side support.)

  1. Marketing Collateral. Does your partner provide you with strong sales and marketing material to help you promote and provide credibility to the product?

  1. Knowledge of Compliance Regulations. Does your partner know how their solutions will help your customers meet compliance regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC?

  1. Virtual and Cloud Environment Capabilities. Your customers may be storing their data "in-house", but if they want to move to the cloud, can your key management partner  move with them?

  1. Scalable Solutions. Many customers of SIs are small and medium sized businesses with the same data security needs as larger enterprises. Can your key management scale to meet the needs of the SMB market?

  1. A Supportive Business Relationship. Does your partner understand your competitive and pricing challenges? Will your partner work with you to craft a solution that will keep your price competitive, or will they just give you a price and walk away?

  1. A Win-Win relationship. Will the partnership create new business and generate new revenue for both parties?

Townsend Security is a third party encryption and key management provider of NIST-certified AES encryption and and FIPS 140-2 certified key management systems. With over 25 years of experience helping companies protect data and meet compliance requirements, Townsend Security can help you do the same.

To learn more about partnering with Townsend Security, contact us now. To learn more about AES Encryption and encryption key management, download our White Paper  "AES Encryption and Related Concepts."

Click me

Topics: Encryption Key Management, AES Encryption, Solution Integrators/Providers