Townsend Security Data Privacy Blog

As a security company, it always puts a smile on our face when we see people properly protecting their (our) data.  Microsoft made this much easier for organizations running Microsoft SQL Server 2008 with Transparent Data Encryption (TDE) and Extensible Key Management (EKM).  By using TDE, EKM, and an encryption key management appliance, proper encryption and key management is now affordable to even small and medium sized businesses.

As recently as last month I had a small organization tell me, “I just pay the PCI fines.  It is part of my monthly budget and cheaper than doing encryption.”  This sort of thinking is making less and less sense these days.  Today, we can tell these smaller organizations that encryption and key management is now affordable and that we have a solution that was built specifically for their SQL Server.

I recently sat down with Patrick Townsend, our Founder & CTO and asked him what Microsoft customers should be thinking about when they consider using TDE and EKM on Microsoft SQL Server 2008:

A number of questions pop up right away for Microsoft customers when they start thinking about SQL Server EKM.  The first question is usually, “What is the performance impact going to be?”  I think Microsoft has done a great job of minimizing the performance impact using TDE.  Microsoft says that you will see about a 2-4% additional load on servers when you implement encryption.  In a practical sense, and from our customers, I think those are pretty good numbers.  There is some impact on doing encryption, but it is probably much less than you might think.  The performance impact has been really minimized by Microsoft in this approach.  Cell Level Encryption will have a little bit higher performance impact, but most people will use TDE and that has a very good performance profile for encryption.

I think the other thing to think about, if you are going to implement encryption using EKM is to address the key server question right up front.  Even though Microsoft gives you the ability to store an encryption key on the local server, it is not considered good security practice and Microsoft recommends the use of an HSM to protect encryption keys.  You should be thinking about using an appliance or HSM as you go forward to protect your encryption keys and give you the best security practice from a compliance point of view.  You don’t want to go down the path of implementing encryption and not following security best practices.  If you have a data breach, you are going to have to defend the approach that you took if you are trying to avoid legal liability and the cost of breach notification.  Using a proper key server should really be a no-brainer.  It is the right thing to do and the right approach.

Finally, an organization needs to look at the affordability of an encryption key management appliance.  In the past, I think one of the real barriers for encryption has been the very high cost of acquiring HSM technology.  I am very proud of our company for really beating down those costs and making them much more reasonable in terms of creating affordable HSM solutions.  With our solution, every mid-market to large-enterprise customer now has HSM technology within their grasp that is affordable and easy to deploy. 

Download our podcast “Encryption Key Management with Microsoft SQL Server 2008” to listen to our complete discussion and learn even more about TDE and EKM.

Last week Townsend Security exhibited at the PASS Summit and showed off our new encryption key management appliance.  This was our first time attending this show, and if you aren’t familiar with the PASS Summit, it is the world’s largest, most-focused, and most intensive conference for Microsoft SQL Server and BI professionals.  This year's show was the biggest conference to date with over 4000 attendees.

This was a good show for us.  The SQL Server community really understands the importance of encryption and key management.  Microsoft made encryption much easier with the introduction of Transparent Data Encryption (TDE) in SQL Server 2008 and opened the doors for proper encryption key management with Extensible Key Management (EKM).  With this combination, it is now easier than ever for organizations to be encrypting their sensitive data with “best practices.”

It was encouraging to see how many people were encrypting their sensitive data using TDE.  When we told them about our encryption key management appliance, their eyes lit up and said, “I need that!  We need to meet PCI DSS and get our encryption keys off of our SQL Server.”  We were more than happy to tell them how easy it is to start properly managing their encryption keys – both technically and financially.  Our client installs easily - just like any other application on SQL Server and set up is a breeze.  When the average cost of a data breach to an organization is over $7 million dollars, it is getting easier to justify the business case for proper encryption and key management.

Of course not everyone was encrypting.  Some people just didn’t need to.  Others though, when asked about encryption, hung their head and said “No, but I probably should be.”  And these were people in the medical and financial industries!  (Note to self: don’t give these organizations my personal information.)

The concept of “leaving your keys under the mat” really resonated with this crowd.  If they didn’t know the importance of separating encryption keys from the encrypted data before they visited us, they certainly knew it well by the time they left.  We look forward to attending this show again next year and maybe the people who currently aren’t encrypting our private information will be first in line next year telling us about their “nightmare audit.”

For more information on our encryption key management appliance, built specifically for SQL Server, view our webinar “Encryption Key Management with Microsoft SQL Server.”  See how easy it can be to implement strong key management and hear what hundreds of attendees learned at PASS last week.

Last week we hosted a webinar titled “Encryption Key Management with Microsoft SQL Server 2008” and had excellent attendance!  The webinar covered meeting encryption key management compliance requirements on Microsoft SQL Server.  Patrick Townsend, Founder and CTO, discussed how our new hardware security module (HSM) is simplifying how organizations are meeting compliance requirements and how it removes cost as a barrier for a professional encryption key management solution. 

During the webinar we received some excellent questions that we would like to share.  As always, let us know if we can answer any further questions!

What are the performance impacts of encryption?

That’s a great question.  Encryption has a reputation for being very demanding from a performance point of view.  It doesn’t have to be that way.  We know from our own practice that encryption can be optimized and very efficient.  In the Microsoft SQL Server EKM environment, especially if you are using TDE, the SQL Server itself is doing the encryption of the entire table space and the encryption key manager is providing the vault and protection of the encryption keys.  Microsoft will tell you that TDE will impose about a 2-4% performance impact on your applications.  I think that is relatively accurate.  We have done our own testing with TDE and we come in closer to a 2% impact, and in some cases we come in even less.  Of course, you have to have the usual caveats.  Your applications and the size of your database may show you different results in terms of performance, but I think those are good numbers for guidance.  So, encryption is a pretty small impact on overall application environment for the protection that it provides.

Does your Enterprise Edition of Alliance Key Manager serve encryption keys to Oracle databases as well?

Yes!  We have customers today that are protecting data in Oracle databases using key retrieval libraries that we provide.  The same is true for MySQL, DB2, and other databases.  We provide a wide set of libraries to help customers protect data in any database.

How do you price your encryption key management for SQL Server solution?

The product is based on the number of key managers.  Depending on what customers need in the way of production and development environments, we provide a set of pricing plans to help them get into the technology in a very cost effective way.  If you would like formal pricing, let us know and we would be happy to schedule a call and see how we can meet your needs.

We are very focused on cost-effective solutions for our Microsoft mid-market customers.  We know that everyone’s resources are constrained these days.  We are philosophically committed to helping customers with cost-effective and FIPS-certified encryption key management solutions.

View our webinar "Encryption Key Management with Microsoft SQL Server" to learn more about utilizing Microsoft’s Extensible Key Management (EKM) interface in SQL Server 2008.