Townsend Security Data Privacy Blog

Our Top 10 Most Popular Data Security Blog Posts of 2014

Posted by Michelle Larson on Dec 31, 2014 10:37:00 AM

Encryption, Key Management, and Data Security…Oh My!

This has been a busy year at Townsend Security with the addition of 2FA, the introduction of Key Management in AWS, Azure, and Key Connection for Drupal. Looking back over our data security blog and the most-viewed topics, I wonder... Did you miss out on any of these?  Take some time to check them out!

Heartbleed

Heartbleed and the IBM i (AS/400)

by Patrick Townsend  (April 11, 2014)

Key take-away: It is important to understand that while the IBM i platform may not be directly vulnerable to the Heartbleed problem, you may have lost IBM i User IDs and passwords over VPN or other connections which are vulnerable. An exploit of Heartbleed can expose any information that you thought was being protected with session encryption.

From the blog article you can download additional content:  
Ebook: Turning  a Blind Eye to Data Security

What are the Differences Between DES and AES Encryption?

by Michelle Larson  (September 4, 2014)

Key take-away: Even Triple DES (3DES), a way of using DES encryption three times, proved ineffective against brute force attacks (in addition to slowing down the process substantially).

From the blog article you can download additional content:    
White Paper: AES Encryption & Related Concepts

Encryption & Key Management in Windows Azure

by Michelle Larson  (February 13, 2014)

Key take-away: In February 2014 we released the first encryption key manager to run in Microsoft Windows Azure. This blog highlights four of our most frequently asked questions about providing data security IN the Cloud.

From the blog article you can download additional content:    
Podcast: Key Management in Windows Azure 

Homomorphic Encryption is Cool, and You Should NOT Use It 

by Patrick Townsend  (October 6, 2014)

Key take-away: Homomorphic encryption is a promising new cryptographic method and hopefully the cryptographic community will continue to work on it. It has yet to achieve adoption by standards bodies with a proper validation processes.

From the blog article you can download additional content:  
eBook: the Encryption Guide

Authentication Called For By PCI DSS, HIPAA/HITECH, and GLBA/FFIEC

2FA Resource Kitby Michelle Larson  (March 24, 2014)    

Key take-away: Two-factor authentication (2FA) plays a critical role in both meeting compliance regulations and following data security best practices. This trend will only grow within various industries and throughout the overall data security environment.

From the blog article you can download additional content:  
2FA Resource Kit: White paper, Webinar, Podcast

Encrypting Data In Amazon Web Services (AWS)

by Patrick Townsend  (August 28, 2014)

Key take-away: Amazon Web Services is a deep and rich cloud platform supporting a wide variety of operating systems, AWS services, and third party applications and services. This blog explores some of the ways that our Alliance Key Manager solution helps AWS customers and partners protect this sensitive data.

From the blog article you can download additional content:  
Podcast:  Encrypting Data in AWS

Key Connection - The First Drupal Encryption Key Management Module

by Michelle Larson  (February 21, 2014)

Key Connection for Drupal

Key take-away:  Working together to solve the Drupal data security problem, the security experts at Townsend Security and Drupal developers at Cellar Door Media have released the Key Connection for Drupal solution, which addresses the need for strong encryption and encryption key management within the Drupal framework. Now personally identifiable information collected during e-commerce checkouts and user account that contain names and e-mail addresses can be easily encrypted, and the encryption keys properly managed, by organizations that collect and store that sensitive information.

From the blog article you can download additional content:   
Podcast: Securing Sensitive Data in Drupal

Nine Guidelines for Choosing a Secure Cloud Provider

by Patrick Townsend  (July 8, 2014)

Key take-away:  Security professionals (CIOs, CISOs, compliance officers, auditors, etc.) and business executives can use the following set of key indicators as a way to quickly assess the security posture of a prospective cloud provider and cloud-based application or service. Significant failures or gaps in these nine areas should be a cause for concern and suggest the need for a more extensive security review 

From the blog article you can download additional content:  
eBook: The Encryption Guide 

Never Lose an Encryption Key in Windows Azure       

by Patrick Townsend  (March 7, 2014)

Key take-away: This blog discusses backup/restore, key and policy mirroring, availability sets, and mirroring outside the Windows Azure Cloud.  Alliance Key Manager in Windows Azure goes the distance to help ensure that you never lose an encryption key. You might be losing sleep over your move to the cloud, but you shouldn’t lose sleep over your encryption strategy.

From the blog article you can download additional content:    
Free 30-day Evaluation of Alliance Key Manager for Microsoft Azure

3 Ways Encryption Can Improve Your Bottom Line

by Michelle Larson  (May 20, 2014) 

Key take-away: In a business world that is moving more towards virtualization and cloud environments, the need for strong encryption and proper key management is critical. Due to all the recent and well-publicized data breaches, we all know about the ways your brand can be damaged if you don’t encrypt your data. This blog takes a look at the benefits of encryption, and three of the ways it can have a positive effect on your business.

Additional content:  You’ll also discover that this is the third time in this Top-10 list that the eBook: The Encryption Guide is offered… so if you haven’t read it yet… what are you waiting for?

The Encryption Guide eBook

Topics: Data Security, Encryption, Best Practices, Amazon Web Services (AWS), Encryption Key Management, Virtualized Encryption Key Management, two factor authentication, Microsoft Windows Azure

How To Meet PCI DSS Compliance With VMware

Posted by Michelle Larson on Sep 25, 2014 3:12:00 PM

VMware and PCI DSS Compliance: Taking the right steps in a virtualized environment

VMware encryption key management

As of vSphere 6.5, AES encryption has been added to VMware. With VMWare encryption, complying with PCI DSS, requirement 3 is even easier. And executives are taking note as they look to conserve resources by moving their organizations databases and IT environments to virtualized platforms and to the cloud.

Security best practices and compliance regulations call for sensitive data to be protected with encryption and that data-encrypting keys (DEK) be physically or logically separated from the sensitive data and protected with strong key-encrypting keys (KEK). Depending on what type of information is being stored and what industry guidance your project/company falls under, compliance regulations in addition to PCI DSS may apply.

VMware PCI DSS ComplianceThe Payment Card Industry Data Security Standard (PCI DSS) is one of the most rigorous and specific set of standards established to date and is used by many organizations as a standard to secure their systems. PCI DSS applies to all organizations that store, process, or transmit cardholder data, regardless of volume. This includes merchants, service providers, payment gateways, data centers, and outsourced service providers.

Here is a high level look at all twelve items that must be met in order to be compliant, with three new requirements in PCI DSS 3.0 (**) that warrant mentioning as being most relevant to the use of VMware and cloud technologies in a PCI-regulated infrastructure:

Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data


(3.0) **Req. 1.1.3: "[Maintain a] current diagram that shows all cardholder data flows across systems and networks."

Requirement 2: Do Not use vendor-supplied defaults for system passwords and other security parameters

(3.0)** Req. 2.4: "Maintain an inventory of system components that are in scope for PCI DSS."

Protect Cardholder Data

Requirement 3: Protect stored cardholder data*


* Requirement 3 specifically addresses the need for encryption and key management, stating:

“Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.”

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs


Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know


Requirement 8: Identify and authenticate access to system components


Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data


Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that address information security for all personnel

(3.0) ** Req. 12.8.5: "Maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity."

It can seem overwhelming at first, but the PCI Security Standards Council (PCI SSC) website contains this documentation along with a number of additional resources to assist organizations with their PCI DSS assessments and validations. Within the latest documentation by the PCI Security Standards Council (v3.0 released November 2013) specific testing procedures and guidance is given for Requirement 3 on pages 34-43.

Fortunately, there are also standards and published guidance on running payment applications in a virtualized environment:

Payment Card Industry Data Security Standard: Virtualization Guidelines and Cloud Computing Guidelines

NIST SP 800-144: Guidelines on Security and Privacy in Cloud Computing

Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing

While virtual technology is not limited to VMware, it is one of the most commonly used and supported architectures by many cloud service providers. In addition to the PCI compliance and cloud guidelines above, VMware worked with CoalFire, a QSA auditing firm, to create guidance on how to specifically deploy payment applications in a VMware environment. You can access the CoalFire document  here.

As platform virtualization becomes a more popular solution, executives need to remain vigilant with their data security and meeting compliance requirements. We can help make the transition to VMware easy with our Alliance Key Manager for VMware solution, which meets the PCI recommendations when deployed properly in a VMware environment. We are committed to helping businesses protect sensitive data with industry standard NIST compliant AES encryption and FIPS 140-2 compliant encryption key management solutions.


To learn more about enterprise key management for VMware and vCloud, download our podcast "Virtualized Encryption Key Management".

Podcast: Virtualized Encryption Key Management
 

Topics: Alliance Key Manager, PCI DSS, Encryption Key Management, VMware, Virtualized Encryption Key Management, Podcast, PCI, Cloud Security

Critical Steps to Encryption & Key Management in the Azure Cloud [White Paper]

Posted by Michelle Larson on Aug 7, 2014 1:36:00 PM

Understanding Options and Responsibilities for Managing Encryption in the Microsoft Azure Cloud

Encryption & Key Management in Microsoft Azure In this latest white paper, authored by Stephen Wynkoop (SQL Server MVP, Founder & Editor at SSWUG.ORG), Stephen will address how “data at rest is data at risk”, specifically looking at the Microsoft Azure Cloud as a selected platform.  The author covers a wide array of information, and discusses in detail how critical it is to do the important work of protecting information in a way that works both with your applications and with the compliance regulations & requirements that impact your company and industry.

Each of the key topic areas below are addressed in detail in the white paper:

Architecture Decisions Drive Technology Approach

The options range from fully-managed data storage and access (Windows Azure SQL Database, WASD) to setting up a SQL Server with a Virtual Machine instance. Each certainly has its place, but there are big differences in options they support.

  • Virtual Machines
  • Key Decision Points, VMs
  • Windows Azure SQL Database  (WASD)
  • SQL Server and Data Encryption Choices

Impact of Encryption

Encryption, and the impact of encryption on your systems, is a big area of concern for those deploying it. Three different areas are important to consider when impact on systems is considered.

  • Performance
  • Backup and Restore Operations
  • High Availability

Key Management Fundamentals

There are core best practices to consider while you’re deploying your selected solution. Some are procedural while others are software/hardware implementations. Keep in mind that the key is to protect your most important secret: the encryption keys. You must provide for protection of the encryption keys, while still providing for access, updates and rotation (key management) of those encryption keys throughout their lifecycle.

  • Segregation of Duties
  • Dual Control & Split Knowledge
  • Key Rotation
  • Protection of Keys
  • Access Controls and Audits, Logging

The author also covers how Townsend Security’s Alliance Key Manager provides answers to these challenges of working with the Microsoft Azure Cloud, securing information with encryption, and the critical need to manage the keys. For more information on Alliance Key Manager for Windows Azure, download our solution brief or get started with a complimentary 30-day evaluation

Encryption & Key Management in Microsoft Azure

Author Bio: Stephen Wynkoop

Stephen Wynkoop is the founder and editor for SSWUG. ORG – the SQL Server Worldwide User’s Group where he writes a column and maintains the site overall. SSWUG features a weekly video programs about the database and IT world, webcasts, articles, online virtual community events and virtual conferences several times a year. Stephen is a Microsoft SQL Server MVP and the author of more than 10 books, translated into at least 7 languages. Stephen has been working with SQL Server since the very first version, with a prior experience in database platforms that included dBase and Btrieve. Stephen can be contacted at swynk@sswug.org.

Topics: Alliance Key Manager, Encryption, Encryption Key Management, White Paper, SQL Server, Virtualized Encryption Key Management, Cloud Security, Microsoft Windows Azure

Encryption & Key Management Everywhere You Need It

Posted by Michelle Larson on Mar 11, 2014 3:07:00 PM

Wherever your sensitive data resides - client side applications, secure data centers, or in the cloud - Encrypt it!

Click to request the webinar: Encryption & Key Management Everywhere Your Data Is “Sensitive data” is not just credit card numbers and expiration dates anymore.  Because of recent data breaches, we know that loyalty information like names, e-mail, physical addresses, phone numbers; personal data like birthdate, social security number... so much information today... now constitutes what we call personally identifiable information (PII) and must be properly protected with encryption no matter it is stored.

When it comes to protecting data, look to well-defined industry standards for an encryption algorithm that is reviewed and vetted by cryptographers around the world. Advanced Encryption Standard or AES is the most commonly used encryption algorithm to protect sensitive data. Validated by the National Institute of Standards and Technology (NIST), this standard is referenced in a wide variety of compliance regulations either as a requirement or as a recommendation. However, the AES algorithm is not the secret that we have to defend. Think of encryption as the lock that you put on your front door, and the encryption key is your house key. You don’t tape your house key right next to the lock when you leave in the morning, you take it with you and you protect it from loss or theft. Your unique encryption key is THE secret that you must protect, which can be accomplished using a secure, certified key management solution. Getting encryption key management right is in fact the biggest challenge customers and organizations run into when they start their encryption projects.

When you look at what it takes to properly protect sensitive data with encryption, you immediately find standards (NIST) & best practices for key management, and industry compliance regulations (PCI DSS, HIPAA/HITECH, FFIEC, and state privacy laws) that require proper key management. They all say the same thing: “Do Not Store the Encryption Key on the Same Server as the Encrypted Data”.

Encryption key management is a well-defined process with standards and best practices around managing encryption keys and a formal definition of the encryption key lifecycle.  

Encryption Key Life Cycle Graphic by Townsend Security
When an encryption key is first generated, or established, it may not be used for some time so it waits in a pre-activation status until it is being actively used.  The key will expire after use or based on a set definition and then will go into escrow after post-activation. After that period, the key is generally destroyed.

One way to destroy data is to destroy the encryption key that's protecting it, because if the key is not recoverable neither is that data. Auditors will want to know if you have a process for managing the encryption key through the entire lifecycle, and this is one of the things that a key management solution does for you in a provable way.  Beyond the encryption key lifecycle, the key management solution provides access controls for users and groups, in-depth audit trails and system logging with the ability to integrate across multiple platforms, and they must implement a mechanism for dual control and separation of duties to really meet compliance regulations as well as defensible security best practices.

It is also very important for an encryption key manager to provide the option of onboard encryption. The core function of the encryption key management solution is to generate, protect, and distribute encryption keys to authenticated users. If you have a web application or a more exposed cloud environment, retrieving an encryption key may seem risky to you in terms of having that key in your operating environment. With an onboard encryption solution you can send your data to the key manager, name a key, and get that data encrypted or decrypted strictly within the confines of that key management solution. Avoiding the risk of losing encryption keys in a more exposed environment is an important component in a compliance strategy.

Even 10 years ago, encryption key management solutions were very expensive specialized hardware devices and very difficult and time consuming projects. Thankfully, encryption and key management is no longer the development or cost headache it once was. Since IT infrastructures have become very complex environments using different technologies and platforms (60% of Microsoft SQL Server customers are also running Oracle someplace in the organization), a key management solution also needs to address these complexities and protect data wherever it may be. There are still hardware security modules (HSMs) and now there are new options for deployment of cloud-based HSMs, virtual appliances, and true cloud instances of encryption and key management.

Hardware Security Module (HSM) is a physical appliance or security device that is protected and tamper evident. Built for high resiliency and redundancy it has hot swappable rated disc drives, dual power supplies, dual network interfaces, and is deployed in your IT data center.

Cloud HSM is a physical appliance hosted in a secure cloud with real-time encryption key and access policy mirroring.  Dedicated HSMs are hosted in geographically dispersed data centers under an ITIL-based control environment and are independently validated for compliance against PCI DSS and SOC frameworks. No access is available to the cloud vendor or any unauthorized user.

Virtual Appliances are the exact same key management solution - the same binary software that runs inside the hardware HSM - available as a VMware instance.

In the Cloud - If you're running on Microsoft Windows Azure or vCloud, the encryption key manager can run as a true cloud instance in a standard cloud or deploy in a virtual private cloud for added data protection for sensitive applications.

Because encryption and key management is so important, we offer all of the options listed above as NIST validated and FIPS 140-2 compliant solutions. We also want to make sure encryption is available everywhere you need it, so at Townsend Security we have a very different philosophy and approach:

  • We think that when you buy an encryption key manager, you should be able to easily deploy the solution, get all your encryption projects done properly, and have very affordable and predictable costs.

  • We understand that we live in a world where budget matters to our customers, so we do not charge client-side fees.  

  • We understand that IT resources are limited and have done a huge amount of work to make our solutions easy with out-of-the-box integrations, simplified deployments, and also provide along with our solution ready-made client-side applications, encryption libraries, source code samples, as well as SDKs for developers who need them to get their projects done very quickly.

To learn more about key management and how to properly encrypt sensitive data anywhere you store it, download our latest webinar featuring data security expert Patrick Townsend:

Request the webinar: Encryption & Key Management Everywhere Your Data Is

Topics: Encryption, HSM, Encryption Key Management, cloud, Virtualized Encryption Key Management, Webinar

Virtual Encryption Key Management - 5 Things to Look For

Posted by Liz Townsend on Jan 28, 2014 4:52:00 PM

Virtual encryption solutions are becoming more and more popular with organizations that are now running their applications and data centers on virtual machines and in the cloud. Although a traditional hardware security module (HSM) for key management may still be the most convenient encryption key management solution for some companies, a virtual encryption key management solution is ideal for companies who are moving to virtual machines and the cloud in order to reduce cost and complexity. Even in virtual and cloud environments, you must protect your sensitive data and manage your encryption keys in order to meet retail, healthcare, and financial regulations such as PCI-DSS, HIPAA/HITECH, and GLBA/FFIEC.

Listen to the Podcast on Key Management Options

Of course, choosing a virtual key management and cloud-based encryption vendor can be difficult. Heck--encryption key management has a reputation for being difficult in itself. That’s why when choosing a virtual encryption key management solution, it’s important to look for these four differentiating factors:

1. Free 30 day trial any time of the year. Any company who offers a free thirty day trial for only a limited period of time may not be giving you a chance. Sure, installing a virtual encryption key manager is faster and easier than deploying an HSM in your data center, but the backend decision making and evaluation in your company may take at least several weeks, if not months. Look for a virtual solution that you can deploy fast, but without the pressure of a limited trial, and when you’re ready.

2. Client side applications and SDKs. Every company’s IT infrastructure is different. One of the most frustrating aspects of adopting an encryption key management solution can be roadblocks associated with needing specialized solutions or software development kits (SDKs). Today many organizations utilize both a cloud solution as well as physical hardware. Your encryption key management vendor should provide you with resources to make securing these systems easy. Better yet, they should be free.

3. Help you move to any cloud service. The cloud is always growing. With so many different cloud vendors available to you, you’ll want the power to decide which cloud you choose to move to. Your virtual encryption key management vendor should be able to support your move to the cloud whether you decide to move to VMware’s vCloud, Windows Azure, or Amazon Web Services (AWS).

4. World-class, enterprise level encryption key management for businesses of any size. Cost should not be a barrier to security. Choosing a virtual encryption key management solution can be difficult, especially when you’re faced with a tight budget. You should always ask your potential encryption key management vendor about their pricing model--do they price per key manager instance as well as additional costs per connection? Can they scale their solution to meet your company’s needs?

5. Personal attention & world-class service. Bigger isn’t always better. In the complicated world of encryption and encryption key management, you want a vendor who can move fast, pay attention to detail, and be there for you in times of need.

Townsend Security offers NIST FIPS 140-2 compliant virtual encryption key management with the added bonus of specializing in scalable solutions to meet the needs of any size of company. Free 30 day trials have been and will always be available for all of our solutions during any time of the year.

Alliance Key Manager for VMware, vSphere, and vCloud, and Alliance Key Manager for Windows Azure provide full life-cycle management of encryption keys to help organizations meet PCI DSS, HIPAA, and FFIEC compliance in virtual and cloud instances.  With built-in key replication, key retrieval, and administrative controls, Alliance Key Manager virtual machine is a secure, reliable, and affordable key management solution for a wide variety of business applications and databases.  Additionally, Alliance Key Manager supports on-appliance encryption and decryption services so that your encryption key is always kept separate from the data it protects. We provide free client side applications and SDKs to make deployment faster and easier than ever.

Listen to the Podcast on Key Management Options

Topics: Encryption Key Management, VMware, Virtualized Encryption Key Management

Encryption Key Management Options: Hardware, Virtualized, and Cloud… Oh My!

Posted by Michelle Larson on Jan 9, 2014 2:39:00 PM

With encryption and key management now being offered on a variety of hardware, virtualized, and cloud platforms, is it simply just a matter of preference or is one option better for you than another?  

Listen to the Podcast on Key Management Options Companies of all sizes now have options for securely protecting sensitive data using the appropriate security technology for their situation and industry regulations. Being responsible for the safekeeping of sensitive data like credit cards, social security numbers, or e-mail addresses, makes your encryption and key management strategy critically important. Once your sensitive data is encrypted, key managers are the specialized security devices that are designed to safeguard your encryption key (which is the secret that must be protected). Before deciding on how an enterprise should deploy an encryption key manager there are several questions to ask and factors to consider.

What different device options are available to organizations needing an encryption key manager?

Hardware Devices
Today we have many options for key management solutions, including the traditional key management hardware security module (HSM), which is now more cost effective and easy to deploy than it was even five years ago. HSMs are network attached in your data center and accessed when encryption keys are needed. If your company has a physical data center and the infrastructure to support it, an HSM can still be your most secure option.

Cloud-hosted HSM
The cloud-hosted key management HSM functions in much the same way as the traditional security device. However, you do not need to have the infrastructure of a physical data center in order deploy or maintain the cloud-based HSM since it is hosted by the cloud hosting provider.  Be aware of your cloud environment (is it shared or private?), and make sure to choose an option that provides real-time mirroring and redundant backups in geographically diverse locations.

Virtualization Options
Additionally it is now possible to deploy virtualized key management appliances. There is no hardware when you deploy a VMware or Hyper-v or Xen virtualized appliance inside your own virtualization infrastructure. A true cloud-based key management solution like VMware gives you a path to run key management solutions in vCloud either as standard cloud instance or virtual private clouds. Microsoft Azure and Amazon Web Service and other cloud platforms provide a mechanism for deploying virtualized key management appliances too.

What are some factors people need to consider when deciding which key management option is right for their organization?

Risk Tolerance
Risk tolerance is perhaps the main driving force for which of the key management options you might choose. If you're very risk-averse then probably you will want to deploy a hardware security module (HSM) in your own data center.  If you have a moderate level of risk tolerance  you might consider a cloud-based HSM hosted by a cloud vendor with appropriate security technology. A company dealing with small amounts of data might bear some additional risk and use a key management solution to help protect encryption keys in a virtual environment. Cloud or virtual solutions can be much more cost-effective and give enough protection for encryption keys to meet a lower risk tolerance level.

Compliance Regulations
Most compliance regulations give clear guidance on best practices about where encryption key management can and should run. Generally speaking, regulations are based on your industry and what type of sensitive data you store. 

PCI Security Standards Council has issued Cloud Computing Guidelines as well as guidance around virtualization of data protection solutions, so you can be PCI compliant with a cloud-based key management and encryption solution.

Cloud Security Alliance (CSA) has issued good guidance around key management and cloud environments - version 3.

Other regulations are not yet providing concrete guidance,and in some cases it is best to confirm with qualified auditors and assessors to really understand whether or not you can be in compliance and deploy true cloud-based virtualized key management solutions.

Infrastructure
Your key management options are also based on where your data is stored. If you don't have a traditional data center, for example if you are using a software as a service (SaaS) solution, you may not have your own IT infrastructure or personnel with which to deploy a traditional encryption key management HSM internally. So the physical and organizational structure will come to bear in terms of the choices that you have around deploying key management.

Cost
Budget is always an important factor. As you consider various options, ask about endpoint licensing fees and make sure you have predictable maintenance costs as more databases/applications request key access. Remember to consider the costs of not properly managing sensitive data when doing the security cost benefit analysis.

Whatever option you choose, it is always wise to use key management best practices:

    • Always separate the encryption keys from the protected data
    • Use dual control
    • Practice separation of duties
    • Manage key rotation
    • Look for NIST validations like FIPS 140-2

Please download our most recent podcast on Encryption Key Management Options to hear more about how to meet the challenges of running cloud or virtual applications where implementations are inherently shared, multi-tenant environments!

Listen to the Podcast on Key Management Options

Topics: Alliance Key Manager, HSM, Hosting, Encryption Key Management, cloud, Virtualized Encryption Key Management, Podcast, Alliance Key Manager Cloud HSM, Choosing Solution

Encryption Key Management in the Cloud

Posted by Michelle Larson on Nov 6, 2013 1:15:00 PM

What to look for in a Cloud HSM solution

With the latest advances in encryption technology, organizations are now able to protect sensitive data with encryption key management in the cloud. The lower costs for maintenance and software (on the operational side) makes the cloud an attractive place for companies to move their data centers and for technology companies to deploy their applications. Encryption Key Management in the Cloud However, these multi-tenant cloud environments provide some real challenges in terms of protecting data from exposure and meeting special requirements in terms of security. In traditional IT data center environments you would normally place a hardware security module (HSM) key management device directly into your rack. However, traditional encryption key management systems don’t function well in cloud environments, and often companies moving to the cloud don’t have a traditional IT infrastructure. This creates new issues and challenges for administrators to provide the level of security for encryption keys needed to protect data and meet compliance regulations. When considering the move of your data to the cloud, think about whether or not you will have:

Access:

When it comes to encryption key management, only you should have access to encryption keys that protect your data. When you consider a Cloud HSM, be sure to ask if the cloud provider will have access to the HSM and your keys. The answer may surprise you! Because the encryption keys are the “secret” that protects your sensitive information, no one else should have access to your data encryption keys or to the systems that protect those keys. This is the same rule that applies in a traditional IT infrastructure and needs to be followed when you deploy data protection in a cloud environment. Not only is it a compliance requirement to protect encryption keys, but using a secure HSM is a security best practice.

Control:

HSMs are a vital part of any data protection strategy. Encryption key managers that serve for protecting data in the cloud need to be fully under your control. To make sure that you have proper controls, your key management solution should be:

  • Segmented from your cloud data
  • Independent of your cloud vendor
  • Able to meet the highest level of security requirements
  • Designed to follow encryption key management system best practices

Mobility:

With an encryption key management and HSM solution that's protecting data in the cloud it matters where your key managers are located. If you're deploying a solution that is proprietary to your cloud vendor, your keys are locked into that cloud vendor and if you move your data, you can’t access or move your encryption keys. You also want to make sure your cloud vendor has no administrative access to that key manager. Fundamental things to think about when you deploy a key management solution:

  • Are you a locked into that cloud platform?
  • Do you have full and exclusive control of your keys?

Compliance regulations are very explicit about protecting sensitive data with proper encryption key management, and recommend good key management practices as a core principle. When you move to the cloud, you don’t automatically have that level of security for your data.  To meet PCI-DSS requirements for protecting credit card information you should really look at the PCI-Data Security Council - Cloud Computing Guidelines as well as their guidance around virtualization since cloud environments are virtualized environments.

Excerpt from PCI-DSS Cloud Computing Guidelines - Executive Summary:

“Cloud computing is a form of distributed computing that is yet to be standardized. There are a number of factors to be considered when migrating to cloud services, and organizations need to clearly understand their needs before they can determine if and how they will be met by a particular solution or provider. As cloud computing is still an evolving technology, evaluations of risks and benefits may change as the technology becomes more established and its implications become better understood.
...

It’s important to note that all cloud services are not created equal. Clear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirement.”

It is also important to look at the Cloud Security Alliance recommendations for cloud security - version 3. Whether you are a cloud vendor or a cloud user, the CSA provides very practical and straightforward guidance on security in the cloud environment. In order to properly secure and protect vital information, you need to understand the security posture of your cloud provider. Don't be satisfied with general statements about security, look for external audits and regular expressions of compliance reviews so you know for sure that you're truly covered. Be sure your encryption keys are in geographically dispersed data centers under an ITIL-based control environment independently validated for compliance against PCI DSS and SOC frameworks to properly manage risk.

Please download our latest Podcast “Encryption Key Management in the Cloud” which covers these topics in greater depth and also talks about how organizations deal with High Accessibility (HA) and Disaster Recovery when their HSM is in the cloud. The podcast will also cover our new Alliance Key Manager Cloud HSM solution that lets you protect data in Amazon Web Services, in Microsoft Azure, Rack-Space, or any cloud environment where you deploy data.

Encryption Key Management in the Cloud

Have questions or concerns about data security in the cloud?  Please leave a comment here and we will get right back to you!

Topics: Encryption Key Management, cloud, Virtualized Encryption Key Management, Podcast, Alliance Key Manager Cloud HSM

5 Critical Features to Look for in a VMware Encryption Key Manager

Posted by Liz Townsend on Aug 9, 2013 11:45:00 AM

Even though technology has evolved to reduce cost and complexity in our IT infrastructure through virtualization and cloud computing, these technologies have also introduced new concerns and complications around data security. The main reason security and IT professionals are so concerned about virtualization and the cloud is that these environments share resources. In a virtualized environment, a single application will share resources with every other application including RAM, disk storage, memory, and CPU. In a cloud environment, these same resources are shared amongst multiple users.

VMware encryption key management

A fundamental fact to acknowledge if you’re using virtualized, hosted, or cloud services is that the companies who provide these services are not required to protect your data. In fact, you should never assume that they are doing just that. When it comes to meeting compliance regulations such as PCI, HIPAA/HITECH, or GLBA/FFIEC, the burden of compliance falls upon individual companies and organizations. If organizations want meet compliance and protect their data from a data breach, they need a powerful, certified, and industry standard data protection strategy.

When it comes to protecting sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII), it is a recognized fact that only using network security protocols such as firewalls and strong passwords is not enough to protect data from outside intruders. The Payment Card Industry Security Standards Council (PCI-SSC) knows this, which is why they require the use of strong encryption and encryption key management to protect credit card data.

Once you realize this, then you should also consider your options when choosing an encryption key manager. An encryption key manager will generate and protect your encryption keys and should include these five critical features:

  1. Certifications. Is the encryption key manager NIST FIPS 140-2 validated? The National Institute of Standards and Technology (NIST) is governmental organization that sets the highest standard for encryption and encryption key management. A FIPS 140-2 level compliance means that your key manager has been heavily tested and will stand up to scrutiny in the event of a data breach.
  2. Virtualization and Cloud Compatibility. Even if you haven’t moved to virtualized environments or the cloud, it is very likely that someday you’ll consider these options. You want to choose an encryption key manager that can securely protect your encryption keys “in-house,” and will move with you to virtualized environments or the cloud when you’re ready.
  3. A Key Manager that Uses Best Practices. Encryption key management best practices are not outrightly required by many compliance regulations, but they are critical to a successful data security strategy. Protocols such as dual control and separation of duties should be implemented in your encryption key manager as a part of its operability. This is the only way to truly protect data and protect yourself in the event of a data breach.
  4. Easy to Deploy. Encryption and key management has a reputation for being incredibly difficult. That may have been true ten years ago, but today encryption key management can be easy to deploy in your organization, depending on your provider. Keep in mind your vendor’s ability to deploy key management in multi-platform environments, in your own IT infrastructure as well as cloud and virtualized environments, if it’s easy enough to install and deploy yourself, and if your key management vendor provides supplemental code and encryption libraries free of charge.
  5. World Class Technical Support. Choosing an encryption key manager and deploying it is a big decision. Choose a key manager with a reputation for amazing technical support.

Townsend Security’s Alliance Key Manager for VMware now supports VMware and vCloud.

Podcast: Virtualized Encryption Key Management

Topics: Encryption Key Management, VMware, Virtualized Encryption Key Management

Encryption Key Management for VMware’s vCloud

Posted by Liz Townsend on Aug 1, 2013 9:57:00 AM

Three questions to ask yourself when choosing encryption key management for vCloud

Businesses are moving more and more data to the cloud, and in our world, more data floating around in the cloud means more concern about securing sensitive data. It is no surprise to anyone that a single business can processes millions of pieces of sensitive data every day. From credit card numbers to social security numbers and protected health information (PHI), retail, financial, and healthcare organizations are processing this data in greater numbers than ever before.

VMware encryption key management Storing data in the cloud is one way businesses are conserving resources. Another way they are doing this is with platform virtualization. VMware is one of the most popular and widely used virtualization solutions currently used by enterprises. Alongside their virtualization software, VMware also supports the vCloud architecture that allows users to seamlessly move their workloads to a hosting or cloud vendor that supports this architecture.

Securing data in a virtualized environment introduces new security concerns, simply by the fact that applications processing sensitive data share resources such as memory, disk storage, and central processing units (CPU) with other applications on a physical machine. If a business decides to move their data to vCloud, this introduces even more concerns around the fact that a cloud environment shares these resources with other people and businesses as well.

Security professionals agree that security should be the number one concern for businesses moving data to the cloud. No one should ever assume that their cloud provider is protecting their data, especially if you need to meet compliance regulations such as PCI-DSS, GLBA/FFIEC, or HIPAA/HITECH. The only way to protect sensitive data in the cloud is by implementing a data security plan that includes strong encryption and encryption key management.

Townsend Security recently released Alliance Key Manager for VMware. This encryption key management solution is identical to our FIPS 140-2 compliant Alliance Key Manager hardware security module (HSM) for database encryption and is compatible with vCloud architecture to provide powerful data security for data in the cloud. This versatile instance of our encryption key manager works with any cloud or hosting provider that supports VMware vCloud architecture.

When choosing a third-party encryption key management provider to secure your data in vCloud, it is important to ask yourself these three questions:

1. Is it cost effective?
Businesses are looking towards simplified and scalable data storage solutions to reduce cost and conserve resources. Virtualization and cloud services serve businesses by providing cost-effective options for data storage and processing. Your encryption and key management should not thwart your goals to reduce cost and complexity in your business. You need solutions that will scale with your transition to virtualization and the cloud and that will work seamlessly in these environments. One of our fundamental beliefs is that budget should not be a barrier to good data security!

2. Will your encryption key management move with you to the cloud?
Not all businesses have moved to the cloud. However, as the cloud becomes more and more prevalent as well as cost effective, it’s important to keep in mind that you might decide to migrate to the cloud in the future. This migration can either be relatively simple or a huge headache depending on how cloud-compatible your software and hardware providers are. Choosing sophisticated solutions that are prepared to move with you to the cloud and will provide you with thorough technical support is critical to your success.

3. Will your key management prepare you for a breach?
In today’s data climate, a data breach for most businesses is no longer a matter of “if,” but, “when.” The only way to secure a breach, prevent data loss, and avoid data breach notification is by using strong, industry standard, and certified encryption and encryption key management. You’ll want your encryption key management solution to implement key management best practices that go above and beyond industry certifications. Certifications are often a low bar in data security, and implementing best practices will increase your security posture tremendously. Your encryption key management should be NIST FIPS 140-2 compliant if you want your data security to stand up to scrutiny in the event of a breach.

To learn more about enterprise key management for VMware and vCloud, download our podcast "Virtualized Encryption Key Management."

Podcast: Virtualized Encryption Key Management

Topics: Encryption Key Management, VMware, Virtualized Encryption Key Management

VMware and PCI DSS Compliance

Posted by Patrick Townsend on Jul 24, 2013 1:44:00 PM

Is your VMware Instance PCI DSS Compliant? Look to PCI and VMware for Guidance.

VMware encryption key management Platform virtualization is becoming a more and more popular solution for companies trying to conserve resources, and VMware is leading this transition as the most popular virtualization platform available. However, there are still many concerns around data security in virtualized environments. Naturally, many people are concerned about PCI compliance when running in a VMware environment. In this case, most of the questions about PCI compliance are in the context of the PCI Data Security Standard (PCI-DSS) and PCI Payment Application Data Security Standards (PA-DSS).

Fortunately, the PCI Security Standards Council (PCI-SSC) has already weighed in on this question and has published clear guidance on running payment applications in a virtualized environment. Version 2.0 of the document is available from the PCI website and directly accessible here.

Of course, this guidance does not mention VMware specifically. It is designed to address the issues related to any virtualization technology such as Microsoft Hyper-v, Xen, and any others. However, VMware is the de facto standard for virtualization in data centers and is deployed by many cloud service providers who support the vCloud architecture. So it is natural that there are many questions about PCI compliance with VMware.

First it should be said that anyone running VMware for their line of business applications should read the PCI guidance BEFORE they start to deploy applications that store or process payment transactions. The procedures you use to deploy business applications in a VMware context are almost certainly not going to meet PCI requirements. So, if you are thinking about doing this, take a deep breath and do some research first.

Fortunately, we have some good guidance from PCI as well as VMware on the topic of PCI compliance. VMware worked with CoalFire, a QSA auditing firm, to create guidance on how to deploy payment applications in a VMware environment. The document follows closely the PCI virtualization guidance, and will be an invaluable resource as you start your project. You can access the CoalFire document from the VMware website here.

describe the imageWith these two documents in hand, and with the guidance of  your QSA auditor or security consultant, you can achieve good compliance with PCI recommendations.

PCI also offers guidance on running encryption key management solutions in a VMware context. There are some obvious points such as the recommendation that you NOT run your key management application in the same hardware and VMware hypervisor context. You will be glad to know that Townsend Security’s Alliance Key Manager for VMware solution meets the PCI recommendations when deployed properly in a VMware environment. We recently released our Alliance Key Manager solution as a VMware appliance, and we are committed to helping businesses achieve PCI compliance with industry standard encryption and encryption key management.

Patrick

Podcast: Virtualized Encryption Key Management

Topics: VMware, Virtualized Encryption Key Management