Townsend Security Data Privacy Blog

2019 SQL Server Encryption Survey

Posted by Ken Mafli on Jan 15, 2020 6:00:00 AM

This last November (Nov. 6-8, 2019) we had a chance to participate in the 21st annual PASS Summit in Seattle as an exhibitor. It was a great time as SQL Server professionals from around the world attended. We had an opportunity to ask them about their company's encryption and key management practices. Below are the results as well as some expert weigh-in on the findings. Enjoy!

The SQL Server Encryption Survey—2019

 

2019-SQL-Server-Encryption-Survey

 

A special thanks to our contributors for their expertise and guidance. You all are clear-minded professionals that have a lot to offer those looking to better secure their data:

-Ed Leighton-Dick, Kingfisher Technologies
-Tim Roncevich, CyberGuard Compliance
-Justin Garren, LyntonWeb
-Sharon Kleinerman, Townsend Security
-Patrick Townsend, Townsend Security

If you are looking to protect your encryption keys for your sensitive data in SQL Server, you need a FIPS 140-2 compliant centralized key manager that:

  • Never charges you additional fees for connecting a new end-point.
  • Never limits the number of end-points based on the model of the KMS.
  • Never limits the number of encryption keys generated or stored.
  • Never forces you to pay extra fees for software patches.
  • Never forces you to pay extra fees for routine software upgrades.
  • Always gives you unmatched customer service.
  • Always protects your keys, 24/7.

You need Alliance Key Manager for SQL Server.

Alliance-Key-Manager-for-SQL-Server  

 

 

Topics: Key Management, Extensible Key Management (EKM), SQL Server 2008, Microsoft, Info-graphic, SQL, Encryption Key Management, SQL Server, Transparent Data Encryption (TDE), SQL Server encryption

2018 SQL Server Encryption Survey

Posted by Ken Mafli on Jan 21, 2019 6:51:00 AM

This last November (Nov. 6-9, 2018) we had a chance to participate in the 20th annual PASS Summit in Seattle as an exhibitor. It was a great time as SQL Server professionals from around the world attended. We had an opportunity to ask them about their company's encryption and key management practices. Below are the results as well as some expert weigh-in on the findings. Enjoy!

 

SQL-Server-Survey-2018

 

A special thanks to our contributors for their expertise and guidance. You all are clear-minded professionals that have a lot to offer those looking to better secure their data:

-Sebastian Meine, Ph.D., sqlity.net
-Steve Brown, Rutter Networking Technologies
-Tim Roncevich, CyberGuard Compliance
-Sharon Kleinerman, Townsend Security
-Patrick Townsend, Townsend Security

If you are looking to protect your encryption keys for your sensitive data in SQL Server, you need a FIPS 140-2 compliant centralized key manager that:

  • Never charges you additional fees for connecting a new end-point.
  • Never limits the number of end-points based on the model of the KMS.
  • Never limits the number of encryption keys generated or stored.
  • Never forces you to pay extra fees for software patches.
  • Never forces you to pay extra fees for routine software upgrades.
  • Always gives you unmatched customer service.
  • Always protects your keys, 24/7.

You need Alliance Key Manager for SQL Server.

Alliance-Key-Manager-for-SQL-Server  

 

 

Topics: Key Management, Extensible Key Management (EKM), SQL Server 2008, Microsoft, Info-graphic, SQL, Encryption Key Management, SQL Server, Transparent Data Encryption (TDE), SQL Server encryption

Securing Data in Microsoft SharePoint 2010

Posted by Patrick Townsend on Mar 6, 2012 1:05:00 PM

“I’m scared to death about what my users are putting into SharePoint!”

SharepointThis is what a Database Administrator said to me recently when I attended a SQL Saturday event on the Microsoft campus in Redmond, Washington. And I’m hearing that a lot from IT directors and CIOs in the financial and medical sectors. Microsoft SharePoint is a wonderful collaboration tool, and it supports a number of versions and deployment options. These options run the gamut from free versions that ship with Windows Server, to versions tailored to the Microsoft Office suite of applications, to web portals. And an industry has grown up around installing, customizing, and hosting SharePoint.

But IT managers are sweating about the risk of data loss. And they have reason to be afraid.

We know that users are creative about circumventing written policies about data security. Ever look at an audit of user passwords? It’s a good bet that “Password1” is the most common password on your network. It has upper and lower case letters, and at least one number. And even good employees can accidentally violate security policy. We ask a lot of our colleagues and security is often not on the top of their consciousness. So how likely is it that users are following your security policy requirement NOT storing sensitive data in SharePoint?

Somewhere close to zero.

And that’s why IT managers have good reason to be concerned. And that’s one reason why the uptake of SharePoint collaboration runs into resistance in the financial and medical segments.

Fortunately, Microsoft added some important security features to SharePoint 2010. One of those is support for Transparent Data Encryption (TDE) when you use SQL Server 2008 as the storage mechanism for SharePoint. The great thing about TDE is that it is easy to implement. You get good encryption performance, separated key management, and a high level of automation. Your IT staff can deliver it with a minimum of fuss and delay.

Will encryption with TDE solve all of the SharePoint security concerns? No. But it will protect you from data loss in the event of a lost backup or hard drive, and a server breach that just steals a copy of the database or log files won’t compromise your data. That’s one big step in the right direction.

Take a look at our encryption key management solution built for Microsoft SQL Server. You can start to build the confidence you and your management team needs to move forward with SharePoint collaboration, and at a reasonable cost and in a reasonable time frame.

For even more information, view our webinar “Encryption Key Management with Microsoft SQL Server.”  See how easy it can be to implement strong key management and hear what hundreds of attendees learned at PASS last week.

Patrick

Click me

Topics: Alliance Key Manager, SQL, SharePoint

2011 PASS Summit: Are You Encrypting?

Posted by Luke Probasco on Oct 18, 2011 9:55:00 AM

PASS key managementLast week Townsend Security exhibited at the PASS Summit and showed off our new encryption key management appliance.  This was our first time attending this show, and if you aren’t familiar with the PASS Summit, it is the world’s largest, most-focused, and most intensive conference for Microsoft SQL Server and BI professionals.  This year's show was the biggest conference to date with over 4000 attendees.

This was a good show for us.  The SQL Server community really understands the importance of encryption and key management.  Microsoft made encryption much easier with the introduction of Transparent Data Encryption (TDE) in SQL Server 2008 and opened the doors for proper encryption key management with Extensible Key Management (EKM).  With this combination, it is now easier than ever for organizations to be encrypting their sensitive data with “best practices.”

It was encouraging to see how many people were encrypting their sensitive data using TDE.  When we told them about our encryption key management appliance, their eyes lit up and said, “I need that!  We need to meet PCI DSS and get our encryption keys off of our SQL Server.”  We were more than happy to tell them how easy it is to start properly managing their encryption keys – both technically and financially.  Our client installs easily - just like any other application on SQL Server and set up is a breeze.  When the average cost of a data breach to an organization is over $7 million dollars, it is getting easier to justify the business case for proper encryption and key management.

Of course not everyone was encrypting.  Some people just didn’t need to.  Others though, when asked about encryption, hung their head and said “No, but I probably should be.”  And these were people in the medical and financial industries!  (Note to self: don’t give these organizations my personal information.)

The concept of “leaving your keys under the mat” really resonated with this crowd.  If they didn’t know the importance of separating encryption keys from the encrypted data before they visited us, they certainly knew it well by the time they left.  We look forward to attending this show again next year and maybe the people who currently aren’t encrypting our private information will be first in line next year telling us about their “nightmare audit.”

For more information on our encryption key management appliance, built specifically for SQL Server, view our webinar “Encryption Key Management with Microsoft SQL Server.”  See how easy it can be to implement strong key management and hear what hundreds of attendees learned at PASS last week.

Click me

Topics: SQL Server 2008, SQL, Trade Shows

Introducing Alliance Key Manager for SQL Server

Posted by John Earl on Aug 22, 2011 10:01:00 PM
encryption key management hsm sql
Alliance Key Manager for SQL Server

Today we are excited to announce the availability of our new Alliance Key Manager for SQL Server (AKMSS). AKMSS is a certified Hardware Security Module (HSM) that manages and protects access to your encryption keys.

Our new HSM is focused on providing mid-market Microsoft SQL Server customers and their technology partners with an affordable, easy to deploy, solution for meeting data privacy compliance requirements in PCI-DSS, HIPAA/HITECH, FFIEC and other data privacy regulations. Unlike other HSMs on the market, AKMSS is built, tuned and priced specifically for small and mid-size SQL Server customers who need to protect sensitive data in their databases.  AKMSS comes with a standard Windows interface so it is easy to configure, deploy, and operate.  AKMSS is based on proven technology that is already successfully used by thousands of customers worldwide.

Townsend Security built this HSM with the idea that cost should not be a barrier to data privacy compliance.  We know that small and midsize companies are increasingly feeling the pressure to meet data privacy compliance requirements, and at the same time many are being targeted by data thieves.  Our AKMSS HSM will help small and medium-sized businesses meet data privacy requirements for encryption key management with FIPS 140-2 certified appliance.

Some of the features and benefits of our AKMSS HSM include:

  • Out-of-the-box integration with SQL Server 2008
  • Utilizes Microsoft’s Extensible Key Management (EKM) interface to support Transparent Data Encryption (TDE) on SQL Server 2008
  • Based on our FIPS 140-2 certified AKM software
  • Reduces cost as a barrier for a professional data privacy compliance
  • Built to be integrated - the product is ready for partner integration

If you need key management for the Microsoft SQL Server world, please take a moment to contact us and see how you can add industrial strength compliance to your encryption project.

You can learn more about the solution here.  Additionally, we have a webinar titled "Encryption Key Management with Microsoft SQL Server 2008" that shows just how easy encryption key management can be on your SQL server.

John Earl, President & CEO

Click me

Topics: Encryption, SQL, Encryption Key Management

SQL Server Encryption & HSM Key Management for the Mid-Market

Posted by Patrick Townsend on Aug 22, 2011 9:00:00 PM

Mid-size companies are under attack like never before, and breaches and financial losses are on the rise. The attacks are usually not that sophisticated - we are talking about the usual security weaknesses which include the lack of encryption and good encryption key management. So, if we know what the problems are, why are so many companies still vulnerable?

I think I know a big part of the answer: cost and complexity.

Mid–market companies are very sensitive to the cost of any IT project that does not contribute directly to the bottom line. And the more complex a project is, the higher the cost. For better or worse, encryption is viewed as a terribly complex, time-consuming, and costly project. Despite the obvious financial pain that a breach causes, and despite the fact that compliance regulations such as PCI DSS, HIPAA and the HITECH Act, GLBA and FFIEC, and state privacy laws encourage encryption and provide safe harbors when it is used, it just doesn’t get done.

encryption key management hsm sql
Alliance Key Manager for SQL Server

That’s why I am really happy about our announcement today of an affordable and easy-to-deploy encryption key management HSM solution for Microsoft SQL Server. Building on our existing FIPS 140-2 certified Alliance Key Manager solution, our new encryption key management HSM offering for Microsoft SQL Server puts encrypting sensitive data within the reach of any company. With an affordable entry point, it can fit within the budget of most companies. And enabling encryption in the database does not require expensive programming resources. Your database administrator or your favorite solution integrator can get the job done very quickly. You can find out more about Alliance Key Manager for SQL Server here.

Microsoft deserves a lot of credit for opening the door to easier compliance. The SQL Server Extensible Key Management (EKM) architecture provides a straight-forward path to implementing encryption and key management. EKM is the strategic architecture for encryption in current and future releases of SQL Server.  With the Transparent Data Encryption (TDE) option of EKM, they even made the process simple to deploy. Microsoft created a door for third party vendors of key management HSMs to enter, but there have been few entries in this area. Our new Alliance Key Manager for SQL Server HSM will knock down those cost and complexity barriers for mid-market companies.

Independent Software Vendors and Solution Integrators are also a very important part of the Microsoft SQL Server ecology. Software developers have created thousands of applications on top of SQL Server, and mid size companies look to ISVs to solve difficult compliance issues for them. Along with our release of our HSM for SQL Server, we are inviting ISVs to join our partner program and realize the benefits of simple and cost effective data protection. We are making it easy for ISVs to integrate encryption and key management directly into their applications. Partners can get more information here.

Lastly, did you know that SQL Server is the data store technology for many of Microsoft’s products? For example, SQL Server is the underlying data store for Microsoft SharePoint and Microsoft Dynamics. With SharePoint 2010 you get full support for SQL Server EKM encryption. Worried about sensitive data in your SharePoint collaboration environments? There’s a solution for that!

I will be writing more about our new SQL Server HSM for encryption key management over the next few days. There are some really nice features in the product that deserve a deeper look. For more information on view our webinar "Encryption Key Mangagment with SQL Server".  This webinar is informative on just how easy it is to implement encryption key management on your SQL server. 

Patrick

Click me

Topics: Encryption, SQL, Encryption Key Management

SQL Security Attacks: Same Ole, Same Ole

Posted by Patrick Townsend on Feb 11, 2011 1:29:00 PM

SQL Security AttacksThe PCI conference is just finishing up and I’ll have more on the conference a bit later when information can be made public. One of the interesting talks was by Chris Novak of Verizon. I just want to recap some of his thoughts.

The number of highly targeted and sophisticated attacks is on the rise. We’ve heard this message over the last few months, and the Verizon study confirms this. A highly targeted attack goes after a specific companies’ assets with a lot of knowledge about the internal systems. The ability of the attacker to cloak the software is good, and the sophistication of the attack is high. These are highly knowledgeable technicians creating the malware, and they are getting good at attacking sophisticated systems like such as Hardware Security Modules (HSMs) that store or process encryption keys. The targets are usually companies with a large concentration of high value financial information. It’s expensive to launch these types of attacks, and the payoff is high. When these breaches are discovered they get a lot of press. But here’s an interesting fact: These sophisticated attacks on specific targets are still in the minority. Over 80 percent of the breaches are pretty low-tech. That’s right, amazingly most of the attacks are against web servers and most of these use SQL injection as the way to get inside. What’s stunning is that we’ve known about SQL Injection attacks for a long time. We know how the attacks are made, we know how to test for the weakness, and we know how to remediate the problem. So why haven’t we made much progress in preventing this exposure?

First, we aren’t paying enough attention to our web sites which are not directly related to credit card process. Novak used the example of an attack on a companies’ HR web site. The company posted job openings on the site and did not think it was much of a target. But attackers gained entry to this job postings web site, and then navigated through the internal network to a high value target.

The lesson? We know what to do, we just need to apply that knowledge more broadly.

We might also ask why are we still having a problem with SQL injection? Novak had an interesting take on this, too. To prevent a SQL injection attack you have to use good programming practices. You can’t just plug in an intrusion detection device and think you are safe. You prevent SQL injection by changing the way you develop web and business applications. Do you know what OWASP is? If not, there’s a good chance you are exposed somewhere in your application code to SQL injection.

The lesson? We have to get much more serious about secure programming. If you are a developer of web or business systems, you should know the OWASP Top 10 forwards and backwards. If you manage a development group, be sure everyone is trained on secure programming practices. Make it a requirement for hiring and promotion.

I will leave you with one more interesting point from Novak’s talk. In almost all breaches that Verizon studied, there was enough information in the system logs to identify the attack, but the logs were not reviewed and the attack went undetected.

The lesson? We need to monitor our system logs a lot better. This means investing in software that can automatically sort through the large number of logs and tell us when there is a problem.

There are positive changes under way at the PCI council and I will discuss these more in the days ahead. But one big take-away is that we need to do better what we already know we should be doing. This part is not rocket science.

Patrick

Topics: HSM, Verizon, SQL, Security Attacks