Townsend Security Data Privacy Blog

Encryption and key management continue to be perceived as challenges for .NET developers as more compliance regulations and state laws require the physical separation of encryption keys from the data they protect.

In the past, .NET developers might have used the Windows DPAPI to store encryption keys, or might have stored them in a SQL Server database. That approach does not meet the requirements for dual control, separation of duties, and split knowledge required by security best practices and compliance regulations such as PCI DSS, HIPAA/HITECH, GLBA/FFIEC, and others.

Historically, Microsoft .NET developers expected to experience some heartburn with an encryption key manager because:

• Key management vendors were historically not responsive to the needs of a .NET developer and failed to provide interfaces that work naturally in this environment
• Complex DLL implementations required special .NET wrapper code
• Poor integration with the existing .NET encryption APIs
• The absence of quality sample code which made life difficult for the Microsoft  .NET developer or slowed down application development

There have been a lot of changes that now make it easier on Microsoft .NET developers to approach encryption and key management. A key manager solution should:

• Provide a .NET assembly key retrieval library that integrates naturally in all of the Microsoft development languages.
• Provide for key retrieval directly into .NET applications so that developers can use the native .NET encryption libraries.
• By not forcing server-based encryption or the use of special encryption libraries, you decide the best approach to encryption once an encryption key is retrieved to the application (this approach also supports Microsoft’s Managed Code architecture)
• Offer vetted sample code to help speed development! You can install a working .NET GUI application that retrieves encryption keys from the server, and the install includes the Visual Studio project and source code
• Integration of encryption key retrieval routines with the Windows certificate store and native Windows communications facility.
• When a Windows application authenticates, the certificates used for the secure TLS connection are under Windows security and control. The TLS communications is done with native Windows communications APIs. This reduces the chance of loss of certificates and private keys, supports the MMC management of certificates, and integrates with Microsoft’s patch update strategy.

As a developer, you might have applications written in a .NET language that update non-Microsoft databases, or which work with unstructured data. These technical hurdles should not stop you from using an encryption key manager to meet compliance requirements for protecting encryption keys.

• Look for a .NET Assembly and DLL that you can add to your .NET project to retrieve encryption keys from the HSM. A few lines of C# or VB.NET code and you are retrieving the encryption key from the HSM.
• Make sure sample code is provided on the product CD to get you up and running quickly. There should be sample applications with source code that you can use as a starting point in your projects.
• The .NET Assembly should work with any .NET language. It should also work with the Common Language Runtime (CLR) environment, and with Stored Procedures. Make sure you can mix and match your .NET languages, databases, and OS platforms.

The combination of NIST validated encryption and an affordable FIPS 140-2 compliant key management solution with solid support for the Microsoft .NET developer makes our Alliance Key Manager a great option for users who need to meet security best practices and compliance regulations for key management. It is time to change your encryption strategy to incorporate solid encryption and an external key manager, whether that is an HSM, Cloud HSM, or virtual environment.

Download our white paper, Key Management in the Multi-Platform Environment, for more information on securing your encryption keys.

Turn Your Nightmares into a Peaceful Night’s Sleep... Even When Your Sensitive Data is Stored in the Cloud

Compliance regulations and security best practices can be enough to make most developers lose some sleep at night, but when the subjects of encryption & key management in the cloud are brought up… it seems like many of those restless heads start to twitch with other worries as well. It goes beyond what types of data need to be encrypted… to concerns about choosing the right encryption algorithm and properly managing the encryption keys. One of the most reported concerns about encryption is the fear of losing the encryption keys.  If keys are lost, the data remains forever shrouded from view… not only for hackers, but for the you too! Here are three important encryption & key management topics, and three excellent resources that will help you rest easy!

#1 Understand the Importance of Encryption and Key Management

Encrypting your sensitive data is critical to meeting compliance regulations and protecting your organization (and your customers) in the event of a data breach. If you are looking for a non-technical overview, then I highly recommend our most recent eBook, “The Encryption Guide” which covers the importance of encryption as well as critical implementation information such as:

• When to use encryption
• What data you should encrypt
• Where you should encrypt that data
• Encryption best practices
  (and an excellent summary of compliance regulations)
• The importance of encryption key management

In order to have a successful encryption solution you must deploy industry standard encryption methodologies, proper encryption key management (NIST validated solutions), and follow administrative and technological best practices such as dual control and separation of duties.

#2 Learn How to Never Lose an Encryption Key

Industry expert, Patrick Townsend addresses the following four topics in greater depth in his blog article “Never Lose an Encryption Key in Windows Azure” and I hope you will check out what he has to say regarding how Alliance Key Manager running in Windows Azure protects you from this potential problem.

• Backup / Restore
  The first line of defense is always to have a backup of your encryption keys and key access policies. Alliance Key Manager provides you with an option to securely back up your encryption keys, security policies, and server settings and to move this backup out of Windows Azure to your own secure storage...
• Key and Policy Mirroring
  Alliance Key Manager supports Active-Active (real-time key and security policy) mirroring so that you will always have a full set of your encryption keys available to you even after a failover...
• Windows Azure Availability Sets
  This is a feature that helps you avoid unplanned outages due to failures of the cloud infrastructure or planned maintenance activities, providing one more way to get the best reliability for your key management infrastructure in the Windows Azure cloud...
• Mirroring Outside the Windows Azure Cloud
  Lastly, if you are still worried about losing your encryption keys, you can always mirror the keys to a key manager located outside the Windows Azure cloud. We have hardware, hosted, and cloud options for you to choose from!

#3 Know Your Compliance Regulations

Our website is a wealth of information on how encryption and key management meet compliance regulations, and it is frequently a topic in our blog articles!  Storing sensitive data in a multi-tenant environment comes with an additional set of concerns, so we suggest this Cloud Security Alliance (CSA) white paper Security Guidance for Critical Areas of Focus in Cloud Computing, v3 that focuses on the CSA guidance - Domain 11 - recommendations for encryption key management. Hardware and software redundancy insure that you will never lose encryption services or encryption keys. Reliability and redundancy is provided through:

• Dual RAID controlled disk drives and dual power supplies
• Real time, bi-directional key mirroring
• On demand and scheduled backups
• High availability hot failover
• Load balancing support

In the ever-changing, ever-evolving technical world that we live in, knowledge is power! Our goal is to constantly provide updated, educational content and the best solutions for protecting sensitive data with solid encryption & key management. So while you might be losing sleep over your plans for the summer, but you shouldn’t lose sleep over your encryption strategy!

Start sleeping better by downloading the Encryption Guide:

Securing data with encryption and protecting the encryption keys with proper key management is addressed in many compliance regulations and security best practices.

For Drupal developers who need to protect sensitive data in their (or their clients) content management system (CMS), storing the encryption keys within the Drupal CMS puts that data at risk for a breach. Security best practices and PCI DSS compliance regulations call for sensitive data to be protected with encryption and that data-encrypting keys (DEK) be physically or logically separated from the sensitive data and protected with strong key-encrypting keys (KEK).  Depending on what type of information is being stored and what industry guidance your project/company falls under, compliance regulations in addition to PCI DSS may apply.

For any company that accepts credit card payments, the Payment Card Industry Data Security Standards (PCI DSS) issues 12 requirements that must be met in order to be compliant. It can seem overwhelming at first, but the PCI council that issues PCI DSS also provides detailed reference guides and instructions on each requirement. Let’s take a high level look at all twelve items:

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do Not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data*
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that address information security for all personnel

Within the latest documentation by the PCI Security Standards Council (v3.0 released November 2013) specific testing procedures and guidance is given for Requirement 3 on pages 34-43. The PCI Security Standards Council (PCI SSC) website contains this documentation along with a number of additional resources to assist organizations with their PCI DSS assessments and validations. PCI SSC also issues Cloud Computing Guidelines and additional information around virtualization of data protection solutions so you can be PCI compliant with a cloud-based solution for encryption and key management.

Requirement 3 addresses the need for encryption and key management, stating:

“Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.”

In order to address PCI DSS Requirement 3: Protect stored cardholder data; the security experts at Townsend Security partnered with Chris Teitzel, CEO of Cellar Door Media and Drupal developer to create Key Connection for Drupal in connection with the existing Drupal Encrypt module. In order to provide secure key storage and retrieval options, Key Connection for Drupal provides a secure key management system (Alliance Key Manager) outside of the Drupal installation. Now when cardholder information is collected or stored in a database it can easily be encrypted and the encryption keys properly managed. Key Connection for Drupal allows developers and users to choose whether they need to retrieve a key and encrypt/decrypt locally or to send the data to Alliance Key Manager to perform on board encryption.

Other compliance requirements for protecting information go beyond cardholder data (PCI focuses on PAN or the Primary Account Number specifically) and also require that personally identifiable information (PII) such as names, birthdates, email address, zip codes, usernames, or passwords be protected with encryption and key management. Check back as future blogs will cover additional data privacy compliance regulations and security best practices that impact developers and users of the Drupal CMS open source platform in regards to protected health information (PHI).

For more information on PCI Compliance, download the Whitepaper: "Meet the Challenges of PCI Compliance"

Townsend Security, an industry leader in data security and encryption key management, will be exhibiting at the PASS Summit in Charlotte, North Carolina this year on October 15-18. We will feature our FIPS 140-2 compliant encryption key management hardware security module (HSM), along with our new hosting option for managing your encryption keys in the cloud.

Will you be attending PASS this year? The Professional Association of SQL Server (PASS) hosts this summit every year and is the largest conference for SQL users and professionals worldwide. Look for us in booth #322 to learn more about how easy encryption and encryption key management can be with your SQL Server. Whether you are using a legacy version of SQL Server or SQL Server 2012 with Transparent Data Encryption (TDE) and Extensible Key Management (EKM), Alliance Key Manager can manage your encryption keys.

How Alliance Key Manager for SQL Server protects your data:

• Automation of all key management tasks including rotation, retrieval, and generation in a central location
• Uses Microsoft’s Extensible Key Management (EKM) interface to support Transparent Data Encryption (TDE) on SQL Server 2008/2012
• Works with all versions of SQL Server

Key Management Hosted in the Cloud
Townsend Security's new Alliance Key Manager Hosted HSM solution allows customers to own a dedicated key manager HSM in a hosted environment consisting. The solutions consists of a production and high availability (HA) HSM in geographically dispersed data centers under an ITIL-based control environment independently validated for compliance against PCI DSS and SOC frameworks. Unlike other hosted encryption key management offerings, only the customer has administrative and security access to the HSMs.

Encrypting Data in Microsoft SharePoint
Since Microsoft SharePoint runs on top of a SQL Server environment, protecting data in SharePoint is easier than ever. Many SQL administrators are fearful that their users are storing sensitive, unencrypted data in SharePoint, and they rightly should be. Alliance Key Manager for SQL Server can help to secure this data.

Encryption Key Management for SQL Server Enterprise Edition
Alliance Key Manager for SQL Server integrates seamlessly with TDE and EKM technologies to enable automatic encryption in SQL Server 2008/2012 Enterprise Edition and above. Additionally, Alliance Key Manager for SQL Server supports cell level encryption, which allows database administrators to select the columns they wish to encrypt in a database - a benefit for many administrators with larger databases.

Encryption Key Management for SQL Server 2005
Many SQL users are still running earlier editions of SQL Server that don’t support EKM & TDE. However, running older versions of SQL Server does not limit your ability to encrypt data and manage encryption keys! Townsend Security supports cell level encryption for SQL Server 2005.

Multi-Platform Environments
Alliance Key Manager isn’t exclusive to the Microsoft SQL suite. In fact, our key management server integrates easily into complex, multi platform environments with many types of databases, operating systems, and programming languages. Our encryption key manager can protect data on the IBM i (AS/400), DB2, Oracle, Linux, Windows, and in the cloud.

To learn more, download our white paper "Encryption Key Management for Microsoft SQL Server 2008/2012."

 

 

 

 

Patrick Botz, founder of Botz and Associates and former Lead Security Architect at IBM, recently published a White Paper in conjunction with Townsend Security discussing dual control, split knowledge, and separation of duties--three critical controls needed to protect encryption keys and encrypted data on the IBM i platform. These controls are considered “best practices” in the IT industry, and it is common knowledge amongst security professionals that without these controls in place, any organization could be at risk for a major data breach.

Just like financial controls that are put in place to prevent fraud in a business, these concepts are used in IT security to prevent data loss. As data breaches are reported in the news almost every day, we can easily see the consequences of data loss: public scrutiny, hefty fines, lost business, and litigation are just a few of the ramifications. Implementing these controls reduces the potential for fraud or malfeasance caused by the mishandling of data or a data loss event due to hackers, employee mistakes, or stolen or lost hardware.

In this white paper Patrick Botz outlines the importance of these three controls and explains why they must be used to protect data stored in IBM i databases. Botz discusses on-board master key capabilities provided by the IBM Cryptographic Services APIs on an IBM i, the limitations of the IBM i Master Key Facility, and why organizations should use third-party key management to protect their sensitive data.

The top 3 critical best practices are:

Separation of Duties - This is widely known control set in place to prevent fraud and other mishandling of information. Separation of duties means that different people control different procedures so that no one person controls multiple procedures. When it comes to encryption key management, the person the person who manages encryption keys should not be the same person who has access to the encrypted data.

Dual Control - Dual control means that at least two or more people control a single process. In encryption key management, this means at least two people should be needed to authenticate the access of an encryption key, so that no one single person has access to an encryption key

Split Knowledge - Split knowledge prevents any one person from knowing the complete value of an encryption key or passcode. Two or more people should know parts of the value, and all must be present to create or re-create the encryption key or passcode. While split knowledge is not needed to create data encryption keys on the IBM i, it is needed for the generation of master keys which are needed to protect data encryption keys. Any encryption keys that are accessed or handled in the clear in any way should be protected using split knowledge.

The three core controls should always be used when storing or transferring encrypted sensitive data. A certified, hardened security module (HSM) designed to secure data encryption keys and key, or master, encryption keys should implement these controls into the administration of the key manager. NIST FIPS 140-2 validation is an important certification to look for in an encryption key manager. This certification ensures that your key manager has been tested against government standards and will stand up to scrutiny in the event of a breach.

Automatic Encryption on V7R1
With the release of IBM i V7R1, users can now encrypt data automatically with no application changes. This is great news for IBM i users since encryption has been a difficult task in the past, needing specialized encryption solutions for earlier versions of IBM i. Protecting your encryption keys in a an external key management HSM is the critical next step to protecting your encrypted data.

To learn more about encryption key management for the IBM i download the full White Paper “Encryption Key Management for IBM i - Sources of Audit Failures,” by IBM i security experts Patrick Botz and Patrick Townsend.

Almost every organization has at least one application built on Microsoft’s SQL Server database. Whether you build an application in-house using Microsoft’s development tools or you deploy a software package from a software vendor, chances are that your organizations has one or more SQL Server databases to help you manage information.

The Challenge: Protect Data with SQL Server’s Encryption

Today it is almost impossible to run a business without handling sensitive information and storing storing data such as customer names, credit card numbers, bank account numbers, passwords, email addresses, or other personally identifiable information (PII) or private health information (PHI) in your SQL Server database. If your organization must meet data security regulations such as PCI-DSS, HIPAA/HITECH, GLBA/FFIEC, or GDPR, you probably already know that this data must be encrypted in order to protect your customers and prevent data loss in the event of a data breach.

What you may not know is that in order to truly protect your data, you must manage your encryption keys in adherence to key management best practices such as dual control and separation of duties using an external encryption key manager (key managers are available in VMware, Cloud, as a traditional hardware security module or HSM). Your company will only be able to avoid data breach notification if you are using these best practices.

The good news is that Microsoft SQL Server comes equipped with transparent data encryption (TDE) and extensible key management (EKM) to make encryption and key management using a third-party key manager easier than ever. Older versions of SQL Server can also be easily encrypted using different tactics, and you can manage those encryption keys just as easily with an encryption key manager as well.

Encrypting Data in SQL Server Depends on Your Version

If you’re currently looking into encrypting your SQL Server database or deploying a key management system, you may be concerned about how to protect your data depending on the version, code, and language used to build your database. To help ease your worries, here are 4 ways to encrypt your SQL Server database and protect your encryption keys:

1. Since SQL Server 2008 Enterprise and SQL Server 2019 Standard, Microsoft has supported automatic encryption with TDE and column-level encryption for Enterprise Edition users and above. Without any programming you can encrypt the SQL Server database or an individual column, and store the keys on an encryption key manager (commonly available as an HSM and in VMware or Cloud).
2. If you have an older version of SQL Server, or you have SQL Server Standard Edition or Web Edition, you don’t have access to TDE. But you can still automate encryption: Through the strategic use of SQL Views and Triggers, you can automate encryption of sensitive data on your SQL Server without extensive program modifications, and still use a secure key manager to protect the encryption keys.
3. Your developers might have written custom application code to implement your SQL Server database. But SQL Server encryption and key management is still within your reach. A good key management vendor should supply you with software libraries that easily add into your applications and implement SQL Server encryption.
4. You might have a SQL Server database, but not be using Microsoft programming languages. Perhaps your applications are written in Java, Perl, or PHP. Again, it is simple to deploy software libraries that encrypt the SQL Server data and which store the encryption keys on an external centralized key manager.

SQL Server encryption and good key management is not difficult to achieve. Although key management has a reputation for being difficult and costly, today key management for SQL Server is cost-effective, easy, has little to no performance impact, will get your company in compliance, and will keep your organization out of the headlines by helping to prevent a data breach.  Townsend Security's Alliance Key Manager is FIPS 140-2 compliant and in use by over 3,000 customers worldwide.

To learn more about key management for SQL Server, download the White Paper, “Encryption Key Management for Microsoft SQL Server.”

 

For most organizations, the entire impetus to encrypt is closely tied to the need to be compliant with one regulation or another.  There is the PCI regulation, the HITECH act of 2009, HIPAA, Sarbanes-Oxley, and a whole host of state privacy laws.  If you are going through the due diligence of database encryption, you sure as heck want to get it right the first time.

A big part of getting it right is using the right encryption tool.  There are plenty of tools on the market that claim to do encryption, and you probably know a clever programmer or two who thinks he can come up with a nifty little data scrambling algorithm that no-one has ever seen before. But encryption — real encryption — demands that we reach for a higher standard.

The U.S. Department of Commerce publishes the definitive encryption standard on its National Institute of Standard and Technology (NIST) website and to date, hundreds of cryptographic providers have achieved this high standard.  As of this writing, NIST has certified over 1,300 AES encryption implementations.

A Fundamental Truth
Cryptographers do not suffer fools lightly.  Their science is mathematically based and their algorithms are well known and well vetted.  A fundamental truth of cryptography is that real encryption cannot rely on keeping the algorithm secret.  Instead the secret that protects the data is the encryption key, and only the encryption key.  Anyone who says different may find themselves on the receiving end of an extra-long mathematical dissertation on the mathematical correctness of accepted encryption algorithms.

When you stop to think about it, this makes perfect sense.  If the world used a secret algorithm to encrypt data, if that algorithm were ever to be discovered then all the world’s data would be at risk.  But if the key is the one-and-only secret that unlocks the data, then a compromised key only puts the data at risk that was encrypted with that particular key.  All the other data that has been encrypted with other keys is still safe.  This demonstrates both the wisdom of strong (and open) algorithms, but also the essential importance of strong key protection.

Another benefit of open algorithms is that they are peer reviewed and extremely well vetted.  The AES standard that is the de-facto standard for encrypting data at rest is well known in cryptography and mathematical circles and is recognized the world over as the most effective method for encrypting business data.  Its modes of encryption are well known and proven. And there is a strong body of knowledge about how to correctly implement the AES standard.  From the perspective of a cryptographic (encryption) provider, encryption libraries are not easy to write, but they are known to be solid when implemented according to accepted standards.

Homegrown Encryption
Unfortunately, some software providers seemed to have taken a different road. AES encryption must have seemed too difficult, or too cumbersome, so instead they found loopholes and/or shortcuts to simplify their implementation.  Some software providers use untested software, or unique and un-vetted methods of encryption.  These data scrambling methods aren’t (and never could be) NIST or FIPS certified, but if their customers never ask about certification or independent validation, those providers are not likely to raise the topic.

So we are seeing a raft of uncertified, and un-vetted cipher methods introduced in the market place.  Some, like OMAC, CS, and CWC have languished on the NIST list of “Proposed Modes” for years, while others like CUSP have never even been submitted as a proposed standard.  And while it is possible that one or more of these upstart modes could be better than one of the current, standard modes, there is no way to know this because these new modes have not been properly tested and crypto-analyzed.  Without testing and peer review, each of these modes is just another premature idea that is statistically more likely to be a bad encryption method than a good one.

Show Me the Cert!
Many software vendors are beginning to recognize the value of certifications.  Some claim certifications they don’t actually have (HINT: PCI does not certify encryption software) and some will use confusing language to infer they have achieved levels of certification they haven’t.  Recently I visited a website that claimed (I’m paraphrasing):

Our stuff uses FIPS 140-2 certified algorithms to ensure the highest level of data security.

The NIST AES website displays no record of this company ever having received a certification for any encryption software.  Clearly they recognize the value of certification, but have not yet knuckled down to do the hard work to make it so.  And if you don’t check their supposed “facts,” it’s likely that you’ll soon regret it.

My advice?  When someone claims to be certified for any type of encryption, ask a simple question: “Can you show me the cert?”  It ought to be available on the web, or in paper form that they can show to you so that you know this software has passed an independent evaluation.  If they have a cert, then you can dig down deeper and find out whether the software will fit your needs.  But if they are claiming a certification that they cannot prove, my advice is to keep your hand on your wallet and then run.

For more information on encryption and key management, download our white paper titled "AES Encryption and Related Concepts."