Data Privacy Blog

Key Management Kit


webinars

podcast

 

Facebook Google+ Twitter LinkedIn

Our Blog to Your Inbox

Your email:

Posts by category

Townsend Security Data Privacy Blog

Current Articles | RSS Feed RSS Feed

Is Drupal Ready for the Enterprise?

  
  
  
  

Drupal is growing up. Currently, over one million websites run on Drupal. It is the CMS of choice for the Weather Channel, American Express and the White House. And with Drupal 8 right around the corner, promising to bring new features and capabilities, it is a very attractive CMS for agencies who need to build solutions for their clients.

What Data Needs To Be Encrypted In Drupal? While these are some major wins for the platform, there is still a large segment of enterprises not quite ready to adopt Drupal. With headlines like “Drupal Sites, Assume You’ve Been Hacked” (after Drupalgeddon) it is easy to understand why there may be some hesitation. Security is a top concern for enterprises and they are scrutinizing anything that collects and stores personally identifiable information (PII) on behalf of their brand.

Increased security requirements are now trickling down via RFPs to agencies and developers who need to choose a CMS. As far as these enterprises are concerned, they don’t care what CMS is used on their project, as long as it can: (1) help manage their risk of a data breach and (2) meet compliance requirements. Enterprises know that the regulations they fall under (PCI DSS, HIPAA, FISMA, etc.) can be unforgiving in the event of a breach, especially if the proper technology was not in place.

So, is Drupal ready for the enterprise?

As a platform, yes-ish. Enterprises have security requirements that go beyond what is available in Drupal core. Fortunately, there are members within the Drupal community that understand this and have developed modules and services that easily integrate into Drupal installations. It is now up to developers to use these tools to build secure, enterprise-ready web sites and applications.

In order to win bids, developers need to not only know how to code, but also need to know security best practices. Concepts like dual control and separation of duties are now considerations when planning for web site security. Developers are also learning what compliance regulations consider sensitive information – data that they previously didn’t think twice about leaving unprotected. Beyond the obvious – credit card and social security numbers – email addresses, phone numbers, and zip codes can constitute PII that needs to be encrypted.

DrupalCon Encryption 
Slide from Hugh Forrest’s (Director, SXSW Interactive Festival) keynote from DrupalCon 2014 on the importance of encryption.

The importance of encryption and key management cannot be overstated. Encryption is the hardest part of data security, and key management is the hardest part of encryption. Storing encryption keys within the Drupal database, settings file, or even a protected file on the server, will never pass an enterprise security team’s sniff test or compliance audit. Hackers don’t break encryption, they find keys, and without key management, developers are leaving their private data open to any hacker that cares to take a look.

“We recently began talks with a Fortune 100 company regarding their platform,” said Chris Teitzel, CEO of Cellar Door Media. “Encryption was a requirement for this project. The primary question the security team brought up was how we are able to manage the keys.”

With the importance of encryption and key management realized, who is responsible for implementing it? Unfortunately, currently no major Drupal hosting providers offer it within their environments. However, it is not difficult to deploy using modules like Encrypt, Key, Form Encrypt, Field Encrypt, Key Connection, etc. These modules all have integrations with services that allow for encryption and key management outside of the Drupal installation.

It is also important to note that, while hosting providers can claim they are compliant with your specific regulation, their compliance does not extend to you, the developer. Hosting providers can attain an Attestation of Compliance (AOC) for their platform, however, it does not extend to what their customers do within their environments. Additionally, regulations like PCI DSS make it clear that in the event of a breach, it is the enterprise, not the hosting provider or development agency, that is responsible.

For Drupal to truly be a contender in the enterprise space, which it clearly is, it is prudent that members of the Drupal community understand how to secure data within their deployments, who is responsible in the event of a breach (their clients), and what they need to do to secure sensitive data in Drupal to make it a viable option. What Data Needs Encrypted In Drupal?

Related Posts Plugin for WordPress, Blogger...

Anthem Data Breach - We Are Taking the Wrong Lesson About Encryption

  
  
  
  

We are taking the wrong lesson about encryption from the Anthem data breach. Several “experts” are weighing in with the opinion that encryption would not have prevented the breach, and even that Anthem should not bother implementing encryption to protect patient information! We don’t have a lot of information about the breach, but apparently the credentials of one or more system administrators were acquired by the attackers and used to access servers with sensitive patient data. So, if the attackers have the credentials of privileged users, it’s game over, right?

eBook The Encryption Guide Well, hold on Cowboy, you are taking the wrong lesson from this data breach!

Let’s start from the top. We have to use ALL of the tools at hand to deploy a defense in depth approach to protect our data. This means we need firewalls, intrusion detection, active monitoring, data leak prevention, anti-virus, two factor authentication, and everything else available to our security team to protect that information.  Further, it would be irresponsible to not consider encryption as an essential component as part of a defense in depth strategy. 

I am sure that Anthem already has a large number of these tools and defenses deployed in their environment. Should they just unplug them all and throw up their hands? Is surrender the best approach given the intelligence and persistence of dedicated attackers? 

Of course not, surrender should not even be in our vocabulary!

Encryption and related encryption key management tools are critical for any company that wants to protect the sensitive information of their customers (or patients, in the case of Anthem), employees, and business partners. It’s mandated by many compliance regulations such as PCI DSS which requires merchants and payment processors to encrypt credit card account numbers. It’s highly recommended to protect patient information by anyone like Anthem who is a Covered Entity under HIPAA regulations (any bets on how soon that will move from “recommended” to “required” status?). All serious security professionals know that encryption is a critical security component and recommend it is a part of an organization’s security strategy.

Does this mean encryption is the perfect defense? Of course not. Given enough authorization to sensitive data even encryption may not be able to prevent a breach.

Encryption raises the bar for the attacker. It narrows the attack surface and makes it more difficult. Unlike the situation at Anthem, in many cases an attacker compromises a non-privileged account and steals the database full of sensitive information. If the sensitive data is not encrypted, the data is lost. If the data is encrypted and you've protected the encryption key, the data is safe. Effective defenses involve a layered approach and constant vigilance.  If we use all of our tools effectively, including encryption, we have a very good chance of detecting an attack early and thwarting it.

A few months ago Adobe suffered a breach and lost millions of records. But the most sensitive data was encrypted. That story basically went away in a couple of days. Target and Sony also suffered large data breaches – do you think they wish they had been encrypting their data? You bet they do! Their stories never seem to go away.

Delay, hopelessness, and surrender are not going to help and are not justified.

This is the lesson we need to learn about encryption.

Patrick

The Encryption Guide eBook Related Posts Plugin for WordPress, Blogger...

VMware Encryption - 9 Components of a Defensible Encryption Strategy

  
  
  
  

VMware Encryption eBook We all know encrypting sensitive data such as customer, employee, and business critical data is not only crucial to protecting your company’s assets, encryption is also required by industry regulations such as the Payment Card Industry Security Standards Council (PCI SSC) and GLBA/FFIEC. Today businesses are turning to VMware virtual machines and the cloud to reduce cost and complexity within their IT environments. When companies set out to encrypt sensitive data that is stored or processed in VMware, meeting industry regulations is top of mind. Businesses also sometimes assume that meeting the encryption requirements of a regulation will protect them from a data breach as well. Unfortunately, passing a data security audit does not always guarantee a strong defense to a data breach. Where data is encrypted and how it is encrypted is often subjective to the auditor, and where one auditor might give your encryption solution a passing grade, another might fail you. If you are only looking for a passing grade, you may be implementing the bare minimum requirements. When you consider the possible deviation between one auditor to the next, it becomes clear that meeting compliance is often a low bar.

At Townsend Security we help our customers not only meet compliance, but achieve a level of security in their VMware environment that will protect them in the event of a data breach. Our new eBook, “VMware Encryption: 9 Critical Components of a Defensible Encryption Strategy,” discusses nine strategies for ensuring your VMware encryption strategy is strong enough to protect your business in the event of a data breach.

Download this eBook to learn more about these critical components and more:

1. Establish a VMware Security Roadmap
The first step in securing your VMware environment is to establish a security roadmap. Determine how encryption and key management in VMware fit into a holistic security plan, and assess security requirements that compliance regulations mandate. Assess your level of risk tolerance for the types of data you want to protect. It’s important to keep in mind that compliance regulations may not mandate the protection of some data, such as email addresses and passwords; however, you may want to encrypt this data in order to protect your brand and reputation should this data get breached. At an IT level, like other security applications that perform intrusion detection/prevention, and active monitoring, you should deploy your encryption key management virtual machine in a separate security workgroup and provide administrative controls in the same way as for other VMware and third party security applications. [Download the eBook to read more]

2. Inventory and Prioritize Sensitive Data
Every encryption project should start by making an inventory of sensitive data in your IT environment. The first step is to define “sensitive data.” Sensitive data is any customer or internal data that you must protect in order to meet compliance requirements or protect your customers, employees, and yourself from data theft and fraud. The scope of what is considered “sensitive data” and how hackers use data to commit fraud is growing. However, if you do not know where to start, first consider the compliance regulations you fall under. [Download the eBook to read more]

3. Use Industry Standard AES Encryption
Encryption protects your data at the source and is the only way to definitively prevent unwanted access to sensitive data. Academic and professional cryptographers have given us a number of encryption algorithms that you can use to protect sensitive data. Some have interesting names like Twofish, Blowfish, Serpent, Homomorphic, and GOST; however, it is critical in any professional business to use encryption algorithms accepted as international standards. Many compliance regulations require the use of standard encryption, such as AES, a globally recognized encryption standard, for encrypting data at rest. [Download the eBook to read more]

4. Encryption Key Management

Many organizations that encrypt sensitive data fail to implement an adequate encryption key management solution. While encryption is critical to protecting data, it is only half of the solution. Your key management will determine how effective your encryption strategy ultimately is. When encrypting information in your applications and databases, it is crucial to protect encryption keys from loss. Storing encryption keys with the data they protect, or using non-standard methods of key storage, will not protect you in the event of a data breach. For businesses that are already encrypting data, the most common cause of an audit failure is improper storage and protection of the encryption keys. [Download the eBook to read more]

Download “VMware Encryption: 9 Critical Components of a Defensible Encryption Strategy,” to learn 5 more critical components! Learn how to protect your customers, secure your business assets, avoid regulatory fines, and protect your brand.

VMware Encryption eBook

Related Posts Plugin for WordPress, Blogger...

PGP on IBM System z Mainframes

  
  
  
  

With the new z13 model, IBM announced another round of enhancements and improvements to the venerable IBM System z Mainframe. Focusing on mobile and social media integration, IBM is yet again modernizing and extending this high-end enterprise server.

PGP Encryption Trial IBM i While the IBM System z Mainframe has a well-earned reputation for security, how do Mainframe customers protect their data as they move towards more open, internet-based mobile and social media integration?

Pretty Good Privacy (PGP) is one path to provable and defensible security, and PGP Command Line is the de facto standard for enterprise customers.

PGP is one of the most commonly accepted and widely deployed whole file encryption technologies that has stood the test of time. It works on all of the major operating system platforms and makes it easy to deploy strong encryption to protect data assets. And it runs on the IBM System z Mainframe!

For about a decade we at Townsend Security have been bringing PGP encryption to Mainframe customers to help them solve some of the most difficult problems with encryption. As partners with Symantec we provide IBM enterprise customers running IBM System z and IBM i (AS/400, iSeries) with the same strong encryption solution that runs on Windows, Linux, Mac, Unix, and other platforms.

Incorporating the OpenPGP standard, PGP Command Line from Townsend Security and backed by Symantec, is compatible with a variety of open source PGP encryption solutions, while adding features to warm the heart of the IBM Mainframe customers. And this is the same PGP whose underlying PGP SDK has been through multiple FIPS 140-2 validations and which is FIPS 140-2 compliant today.

While retaining the core functions of PGP and the standards-based approach to encryption, we’ve been busy extending PGP specifically for the IBM Mainframe customer. Here are just a few of the things we’ve done with PGP to embrace the IBM Mainframe architecture:

  • Native z/OS Batch operation
  • Support for USS operation
  • Text mode enhancements for z/OS datasets
  • Integrated EBCDIC to ASCII conversion using built-in IBM facilities
  • Simplified IBM System z machine and partition licensing
  • Support for self-decrypting archives targeting Windows, Mac, and Linux!
  • A rich set of working JCL samples
  • Free evaluation on your own IBM Mainframe

IBM Mainframe customers never have to transfer data to a Windows or Linux server to perform encryption, and in the process exposing data to loss on those platforms. With full cross-platform support you can encrypt and decrypt data on the IBM Mainframe regardless of its origination or destination.

PGP Command Line is the gold standard for whole file encryption, and you don’t have to settle for less.

Patrick

PGP Encryption for IBM

Related Posts Plugin for WordPress, Blogger...
Tags: , ,

Securing Web Sites and Applications with Encryption & Key Management

  
  
  
  

Web site and application data security can be greatly enhanced by encrypting sensitive data. An encryption strategy is only as good as the protection of the encryption keys. Poor protection for encryption keys will lead to compliance audit failures, regulatory failures, and brand damage due to poor security practices.

eBook The Encryption Guide The following topics discuss how encryption and key management improves web application security:

Separation of Encryption Keys from Data
The separation of encryption keys from the data they protect is a core security best practice. Cybercriminals may steal sensitive data, but if that data is encrypted and the keys are not readily available, the data remains protected. The separation of keys from the data they protect is also fundamental to implementation of Separation of Duties and Dual Control. Townsend Security's Alliance Key Manager provides the mechanism by which keys are separated from the data they protect.

Separation of Duties
For critical systems, security is always improved by dividing responsibility among multiple administrators. In data protection, this concept means that people who have access to the data (users, DBAs, etc.) should not be the people who have access to the encryption keys. And the reverse is true. In order to achieve Separation of Duties you must separate the system, network, and database functions from the encryption key management functions. This is a core concept in PCI-DSS, HIPAA, GLBA/FFIEC, and other regulations. Alliance Key Manager provides for Separation of Duties by allowing different people to manage the web application data and the management of the encryption keys.

Dual Control
All critical business operations that can impact the health and existence of an organization should be managed with Dual Control. Dual Control means that it takes two individuals to perform the critical operation. Because encryption keys are the crucial secret that must be protected, Dual Control means that at least two people must authenticate to create and manage encryption keys. Alliance Key Manager implements Dual Control in the security console to meet this security best practice and regulatory requirement.

Limited Access
Security best practices require that as few people have access to encryption keys as possible to minimize the risk of loss. Be managing encryption keys in a key manager designed for this purpose, keys can be used by the applications that need them, but managed by a small number of security administrators. Alliance Key Manager allows you to grant access to only those security administrators who have the need to manage the encryption keys.

Secure Key Retrieval
Encryption keys and the Encryption Services available with Alliance Key Manager are always accessed via encrypted TLS connections. Secure connections help prevent capture of encryption keys across public and private networks, memory scraping routines, etc. Unencrypted access to Alliance Key Manager is not allowed.

Authenticated Key Retrieval
Unlike normal web servers which provide access to anyone with a certificate signed by a public certificate authority, Alliance Key Manager creates its own private CA unique to you, creates client-side certificates and private keys signed by that CA, and restricts access to only those clients who present a known certificate. This prevents outsiders from accessing the key server using publicly available certificates and keys.

Protection of Credentials
Because certificates and private keys are used as credentials for access to Alliance Key Manager, they must be protected in the Web application server. Credentials should be stored outside of the web root directory and access permission should only be granted to the web application user. For a Drupal installation, the same precautions should be taken.

Active Monitoring
Active monitoring is a core security requirement and applies to all encryption key management activity. Alliance Key Manager provides real-time audit and system logging off all key retrieval, encryption services, and key management tasks. This helps meet regulatory requirements and security best practices for all key management activity.

For more information on encryption, download the eBook:

The Encryption Guide eBook

Related Posts Plugin for WordPress, Blogger...

Notable Data Security Breaches of 2014

  
  
  
  

Make 2015 your year for increased data security with Encryption & Key Management

During the 2014 holiday season, the Sony data breach made the headlines even though the numbers affected weren’t in the millions like their 102 million PlayStation Network records that were breached back in 2011. This time, beyond all the damage done to their systems, Sony Pictures Entertainment became one of the most publicly blackmailed corporate breaches to date. The group that took over their company network had a list of demands that went along with the financial data and legal information being leaked on to file-sharing sites and sent directly to rival Hollywood studios.   

While the end results of the Sony breach may take time to be fully realized, there were a number of other large scale data breaches this year. Some of these you may be familiar with, more may yet be reported, and others might surprise you: 


  • eBay - online retailer
    The breach is thought to have affected the majority of the 145 million global members when a database containing customer names, encrypted passwords, email addresses, physical address, phone numbers, and dates of birth was compromised.
  • JPMorgan Chase
    76 million people were affected by the loss of PII including names, addresses, phone numbers, and email addresses.
  • Google
    5 million people had their account information compromised with the theft of usernames and passwords.
  • Home Depot
    In a large nationwide malware attack, 56 million card records were stolen through point-of-sale systems. In a second attack in Atlanta, 20,000 employees personal information was stolen and used to open fraudulent credit cards by 3 human resource employees.

Those are some pretty significant numbers, and most likely everyone that reads this blog has been affected in some way by at least one of these events, or by one of the 600+ breaches reported so far this year. What we all need to remember is that cyber crime isn’t limited to “Black Hat” hackers that only go after the big piles of data. Sometimes it is a disgruntled employee that destroys or releases sensitive data. Sometimes it is an unintentional employee error, or loss of an employee’s laptop/thumbdrive that thieves go after. Often it is the smaller company or mid-sized Enterprise that hasn’t yet implemented security steps, like encryption and authentication, to protect their sensitive information. For example, the unintentional loss of data on unencrypted backup tapes would be considered a reportable data breach event.

A new study from researchers at Gartner indicates that it is markedly less expensive for companies to invest in new security and encryption technologies than it is for them to respond to a data breach. According to the analyst firm, businesses pay roughly $6 per year per user for encryption tools, or $16 per user per year for intrusion prevention software licenses, versus paying out an average of $90 per user to address problems after a breach has occurred.

Five steps you can take to make sure this doesn’t happen to you:

  1. Have a defense-in-depth strategy that meets your level of risk tolerance.

  2. Make sure you know where all of your sensitive data is stored, and who has access to it.

  3. Use standardized encryption algorithms to make that data unreadable.

  4. Use an encryption key management solution to protect keys away from the data.

  5. Use two-factor authentication whenever possible, because passwords are no longer enough.

To help open up the conversation around your conference table, download this eBook on “Turning a Blind Eye to Data Security” and find out more about the tools & resources to begin discussions about data security in your company!

Turning a Blind Eye to Data Security eBook

Related Posts Plugin for WordPress, Blogger...

Our Top 10 Most Popular Data Security Blog Posts of 2014

  
  
  
  

Encryption, Key Management, and Data Security…Oh My!

This has been a busy year at Townsend Security with the addition of 2FA, the introduction of Key Management in AWS, Azure, and Key Connection for Drupal. Looking back over our data security blog and the most-viewed topics, I wonder... Did you miss out on any of these?  Take some time to check them out!

Heartbleed

Heartbleed and the IBM i (AS/400)

by Patrick Townsend  (April 11, 2014)

Key take-away: It is important to understand that while the IBM i platform may not be directly vulnerable to the Heartbleed problem, you may have lost IBM i User IDs and passwords over VPN or other connections which are vulnerable. An exploit of Heartbleed can expose any information that you thought was being protected with session encryption.

From the blog article you can download additional content:  
Ebook: Turning  a Blind Eye to Data Security

What are the Differences Between DES and AES Encryption?

by Michelle Larson  (September 4, 2014)

Key take-away: Even Triple DES (3DES), a way of using DES encryption three times, proved ineffective against brute force attacks (in addition to slowing down the process substantially).

From the blog article you can download additional content:    
White Paper: AES Encryption & Related Concepts

Encryption & Key Management in Windows Azure

by Michelle Larson  (February 13, 2014)

Key take-away: In February 2014 we released the first encryption key manager to run in Microsoft Windows Azure. This blog highlights four of our most frequently asked questions about providing data security IN the Cloud.

From the blog article you can download additional content:    
Podcast: Key Management in Windows Azure 

Homomorphic Encryption is Cool, and You Should NOT Use It 

by Patrick Townsend  (October 6, 2014)

Key take-away: Homomorphic encryption is a promising new cryptographic method and hopefully the cryptographic community will continue to work on it. It has yet to achieve adoption by standards bodies with a proper validation processes.

From the blog article you can download additional content:  
eBook: the Encryption Guide

Authentication Called For By PCI DSS, HIPAA/HITECH, and GLBA/FFIEC

2FA Resource Kitby Michelle Larson  (March 24, 2014)    

Key take-away: Two-factor authentication (2FA) plays a critical role in both meeting compliance regulations and following data security best practices. This trend will only grow within various industries and throughout the overall data security environment.

From the blog article you can download additional content:  
2FA Resource Kit: White paper, Webinar, Podcast

Encrypting Data In Amazon Web Services (AWS)

by Patrick Townsend  (August 28, 2014)

Key take-away: Amazon Web Services is a deep and rich cloud platform supporting a wide variety of operating systems, AWS services, and third party applications and services. This blog explores some of the ways that our Alliance Key Manager solution helps AWS customers and partners protect this sensitive data.

From the blog article you can download additional content:  
Podcast:  Encrypting Data in AWS

Key Connection - The First Drupal Encryption Key Management Module

by Michelle Larson  (February 21, 2014)

Key Connection for Drupal

Key take-away:  Working together to solve the Drupal data security problem, the security experts at Townsend Security and Drupal developers at Cellar Door Media have released the Key Connection for Drupal solution, which addresses the need for strong encryption and encryption key management within the Drupal framework. Now personally identifiable information collected during e-commerce checkouts and user account that contain names and e-mail addresses can be easily encrypted, and the encryption keys properly managed, by organizations that collect and store that sensitive information.

From the blog article you can download additional content:   
Podcast: Securing Sensitive Data in Drupal

Nine Guidelines for Choosing a Secure Cloud Provider

by Patrick Townsend  (July 8, 2014)

Key take-away:  Security professionals (CIOs, CISOs, compliance officers, auditors, etc.) and business executives can use the following set of key indicators as a way to quickly assess the security posture of a prospective cloud provider and cloud-based application or service. Significant failures or gaps in these nine areas should be a cause for concern and suggest the need for a more extensive security review 

From the blog article you can download additional content:  
eBook: The Encryption Guide 

Never Lose an Encryption Key in Windows Azure       

by Patrick Townsend  (March 7, 2014)

Key take-away: This blog discusses backup/restore, key and policy mirroring, availability sets, and mirroring outside the Windows Azure Cloud.  Alliance Key Manager in Windows Azure goes the distance to help ensure that you never lose an encryption key. You might be losing sleep over your move to the cloud, but you shouldn’t lose sleep over your encryption strategy.

From the blog article you can download additional content:    
Free 30-day Evaluation of Alliance Key Manager for Microsoft Azure

3 Ways Encryption Can Improve Your Bottom Line

by Michelle Larson  (May 20, 2014) 

Key take-away: In a business world that is moving more towards virtualization and cloud environments, the need for strong encryption and proper key management is critical. Due to all the recent and well-publicized data breaches, we all know about the ways your brand can be damaged if you don’t encrypt your data. This blog takes a look at the benefits of encryption, and three of the ways it can have a positive effect on your business.

Additional content:  You’ll also discover that this is the third time in this Top-10 list that the eBook: The Encryption Guide is offered… so if you haven’t read it yet… what are you waiting for?

The Encryption Guide eBook

Related Posts Plugin for WordPress, Blogger...

Securing Alliance Key Manager for VMware

  
  
  
  

An Introduction to Townsend Security's VMware Guidance Document

VMware customers benefit from the many operational, and cost efficiencies provided by VMware virtualization technologies both in traditional IT infrastructure and in cloud environments. As VMware customers deploy data encryption solutions as a part of their defense-in-depth strategy, the need for encryption key management can present barriers to a good encryption implementation. This article provides high-level guidance, general in nature, on how deploy and protect Alliance Key Manager for VMware within your VMware environment. Actual VMware deployments of Alliance Key Manager for VMware will use different VMware applications and architectures to meet specific user, application, and security needs.

General VMware Recommendations VMware Resource Kit for Encryption and Key Management

Identify and Document Trusted and Un-Trusted Applications

Properly identifying application groups based on the level of trust is critical for a secure implementation of virtualized applications and encryption key management services. Create and isolate a management cluster for your core VMware applications such as vSphere, vShield, etc. Identify application groups and their associated level of trust, and isolate applications into appropriate application workgroups. Avoid mixing trusted and untrusted applications in a workgroup.

You should consider creating a security workgroup to contain your third party security applications such as encryption key management, authentication services, active directory, system logging, and other applications whose primary function is to assist in securing your VMware environment. Encryption key management services provide by Alliance Key Manager should be implemented in this separate security workgroup used for critical, non-VMware security applications.

In preparation for properly securing these environments, create an inventory of all Virtual Machines managed in each workgroup. For each workgroup and virtual machine, identify the security controls that will be required for each one (network segmentation, storage segmentation, system logging, active monitoring, etc.). VMware flow tools can assist with this documentation.

Restrict Physical Access

Fundamental to all IT security implementations is proper security of the physical environment. This means proper physical security controls and physical monitoring of the data center as well as good auditing and procedural controls. These physical controls should also apply to access to VMware management and security applications. You can look to the PCI Data Security Standards and guidance for information on appropriate physical controls. You can also refer to standard security guidance in SOC 2 and SOC 3 assessments for information on physical controls. When deploying on a cloud platform it is always a good idea to ask the Cloud Security Provider (CSP) for a copy of the PCI letter of attestation, or an SOC 2 / SOC 3 report.

Isolate Security Functions

Because security applications are often a target of cybercriminals, you should isolate them into their own security workgroup and implement the highest level of VMware security. Only trusted VMware administrators should have access rights to Alliance Key Manager, system logs, and audit reports. Be sure to actively monitor access to and use of all encryption key management, key retrieval, and encryption services.

Change VMware Default Passwords

Review all VMware applications used to secure and manage your VMware environment and change the default passwords as recommended by VMware. The failure to change default passwords is one of the most common causes of security breaches.

Implement Network Segmentation

Network segmentation is easy to accomplish with VMware network management and security applications and you should implement network segmentation to isolate applications that process sensitive information from applications that do not require as high a level of trust. Additionally, you should provide network segmentation for all third party security applications such as Alliance Key Manager. Network segmentation should include all high availability and business recovery infrastructure. Do not rely on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.

Implement Defense in Depth

The VMware management and security applications provide for a high level of security and monitoring. They also provide hooks and integration with third party security applications that provide system log collection, active monitoring, intrusion detection,etc. Encryption is a critical part of a defense-in-depth strategy, and protecting encryption keys is the most important part of an encryption strategy. Regardless of the operating systems in your application Virtual Machines, Alliance Key Manager will provide encryption key management, key retrieval, and encryption services for your business applications and databases running in your VMware infrastructure.

Monitor VMware Administrative Activity

Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security workgroup that contains other third party security applications such as Alliance Key Manager.

For more detailed information, read the entire VMware Guidance Document and other materials available in this VMware Resource Kit: 

Resource Kit: Encryption and Key Management in VMware

Related Posts Plugin for WordPress, Blogger...

Securing SQL Server in the Cloud

  
  
  
  

Organizations running SQL Server Enterprise edition gain the added benefit of SQL Server transparent data encryption (TDE) and extensible key management (EKM). The encryption capabilities of Enterprise edition enable users to easily encrypt data at the column level of a database, and EKM allows users to store encryption keys using a third-party encryption key management solution. These streamlined capabilities of SQL Server Enterprise Edition have made SQL Server one of the easiest databases to encrypt, and therefore it’s popularity hasn’t waned. SQL Server Resource Kit on Encryption & Key Management

One of the biggest issues facing SQL Server users today is maintaining security as users move their SQL databases to the cloud. While Microsoft Azure remains a popular cloud service provider (CSP) for SQL users, Amazon Web Services (AWS) and VMware are also common amongst organizations moving to the cloud, especially those migrating a multi-platform environment. Each of these top-tier CSPs offer security solutions to help you protect your cloud environment; however, when considering security in the cloud there are two important things to remember: The security offered by your CSP won’t provide you with a complete security solution, and the security solutions you bring to protect your data in the cloud can fail if not implemented correctly.

Don’t rely on the cloud for complete security!

Your CSP should provide your business with some security, but their solutions are likely limited. Most CSPs will offer firewall protection, for example. Top-tier CSPs have also undergone some certifications such as Payment Card Industry (PCI) and FedRAMP compliance. It is important to remember, however, that relying on firewalls alone is not enough to prevent intruders, and cloud certifications never mean that your company will automatically meet these compliance regulations as well. A comprehensive data security plan is required for any business operating in the cloud, and this typically requires using third-party security solutions to ensure your business meets compliance and is adequately protecting data.

Remember these two things when protecting data in the cloud:

  • The security solutions offered by your cloud vendor are rarely enough to prevent a data breach.
  • Just because your cloud service provider is compliant, doesn’t mean you are.

Storing data in SQL Server in the cloud presents new security challenges. Hackers or malicious users can gain access to sensitive data easily through common hacks. Easy hacking of SQL Server is a result from:

  • Incorrect configuration of cloud provider’s firewall
  • Attacks through weaknesses that could have been addressed by updating and patching SQL Server
  • Missing or weak passwords
  • social engineering and account hacking
  • Lax administrative access

When it comes to securing SQL Server in the cloud, you should also always consult your legal and auditing team (or consultants) before assuming that your data is safe and you are compliant with any industry security regulations. On a general level, it’s important to include these security measures in your holistic security plan:

  • Intrusion prevention
  • System logging and monitoring
  • Encryption & key management
  • SSH in place of passwords
  • Limited access to sensitive data
  • Separation of duties and split knowledge when accessing encryption keys and sensitive data.

It’s important to remember that your business continuity relies on your own security plan. Regardless of the environment, when your organization experience a data breach, ultimately the responsibility is yours. Your customers, as well as your employees, rely on you to protect their data, and if you fail to do so, the consequences may include loss of customer loyalty and a severely damaged brand. The ultimate way to prevent access to sensitive data is using encryption and encryption key management.

To learn more about how Microsoft SQL Server Enterprise Edition can easily be secured in the cloud, download:

Resource Kit: Encrypting Data on SQL Server


Related Posts Plugin for WordPress, Blogger...

VMware and SQL Server Encryption

  
  
  
  

Questions and Answers on Encryption and Key Management Projects

VMware® is hands-down the virtualization choice of large and small organizations, and it is easy to see why. Not only is it a highly reliable and scalable platform, VMware also provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines.

Earlier this month, Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data on Microsoft SQL Server in VMware environments, steps to encrypting data on SQL Server (with and without TDE), as well as talk about Townsend Security’s Alliance Key Manager for VMware. Here are a few highlights (download the podcast for the whole conversation): Podcast: VMware and SQL Server Encryption

Paul Taylor: We’ve talked about the Townsend Security encryption and key management solutions for VMware. Today let’s put the focus on Microsoft SQL Server and encryption in the VMware customer environment. Can you give us an overview of how VMware customers can protect data in SQL Server databases?

Patrick Townsend: Just to recap, we really need two things to get encryption right: A key management solution to protect the critical encryption keys, and an encryption solution for the SQL Server database. And they have to talk to each other.

For the first part, our Alliance Key Manager for VMware solution provides a fully functional, enterprise key management solution that protects SQL Server databases as well as other databases and other operating systems.

For encrypting SQL Server, our Alliance Key Manager solution comes with a full Microsoft SQL Server Extensible Key Management Provider. We call this Key Connection for SQL Server and it is one of the modules that our key management customers receive without paying additional license fees. Key Connection for SQL Server provides the encryption and integration with our key server to provide a complete, end-to-end solution for encrypting data in the SQL Server database.

Paul Taylor: Can you talk a little about how Microsoft enables encryption in SQL Server?

Patrick Townsend: If you are running SQL Server Enterprise Edition or higher, you have access to Microsoft’s automatic, full database encryption facility called Transparent Data Encryption, or TDE. You also have access to Microsoft’s automatic, column level encryption facility which Microsoft calls Cell Level Encryption. Both of these options, TDE and Cell Level Encryption,  are implemented without any programming work at all. And both are fully supported by Alliance Key Manager and the Key Connection for SQL Server software from Townsend Security.

Paul Taylor: What about Microsoft customers who aren’t using the Enterprise Edition of SQL Server? Can they encrypt their data with the Townsend Security solution?

Patrick Townsend:  With SQL Server Standard and Web Editions we provide two paths to encrypt data. The first is to use SQL Views and Triggers along with our .NET DLL to provide automatic encryption without any changes to applications. And the second path is to modify your C# or Java applications to use our .NET DLL to perform encryption at the application level.

Both approaches leverage our Microsoft .NET DLLs to perform encryption with integrated key management. Both are very simple to implement. And there are no additional license fees to deploy and use our Microsoft .NET DLLs to accomplish this.

Paul Taylor: So, walk me through the steps for encrypting data in my SQL Server Enterprise Edition database. How difficult is it?

Patrick Townsend: Encrypting data in Enterprise SQL Server is really very easy. The first step is to install our Alliance Key Manager for VMware solution. It launches like any other virtual machine using the normal VMware applications and you can have a key management solution up and running very quickly.

The second step is to install the Key Connection for SQL Server application on the virtual machine running SQL Server in Windows. This is a normal install process with an MSI file. You answer some questions, install a certificate and private key in the Windows Certificate Store, and run a handful of commands to start SQL Server TDE encryption or Cell Level Encryption. You also restart the log file to be sure that it is encrypted as well. That’s about it.

Of course, you will want to follow the instructions on how to set up a high availability key server, and point your Key Connection for SQL Server configuration to it as failover. That is a normal configuration process and also very easy to do. We find that VMware customers can deploy SQL Server encryption very quickly.

Paul and Patrick also cover which versions of SQL Server are supported, the availability of Alliance Key Manager in other platforms (hint: it’s quite versatile), and our 30-day evaluation program (you can do a full proof-of-concept in your own environment at no charge). Be sure to download the podcast to hear the rest of their conversation:

Podcast: VMware and SQL Server Encryption

Related Posts Plugin for WordPress, Blogger...
All Posts