Organizations running SQL Server Enterprise edition gain the added benefit of SQL Server transparent data encryption (TDE) and extensible key management (EKM). The encryption capabilities of Enterprise edition enable users to easily encrypt data at the column level of a database, and EKM allows users to store encryption keys using a third-party encryption key management solution. These streamlined capabilities of SQL Server Enterprise Edition have made SQL Server one of the easiest databases to encrypt, and therefore it’s popularity hasn’t waned.
One of the biggest issues facing SQL Server users today is maintaining security as users move their SQL databases to the cloud. While Microsoft Azure remains a popular cloud service provider (CSP) for SQL users, Amazon Web Services (AWS) and VMware are also common amongst organizations moving to the cloud, especially those migrating a multi-platform environment. Each of these top-tier CSPs offer security solutions to help you protect your cloud environment; however, when considering security in the cloud there are two important things to remember: The security offered by your CSP won’t provide you with a complete security solution, and the security solutions you bring to protect your data in the cloud can fail if not implemented correctly.
Don’t rely on the cloud for complete security!
Your CSP should provide your business with some security, but their solutions are likely limited. Most CSPs will offer firewall protection, for example. Top-tier CSPs have also undergone some certifications such as Payment Card Industry (PCI) and FedRAMP compliance. It is important to remember, however, that relying on firewalls alone is not enough to prevent intruders, and cloud certifications never mean that your company will automatically meet these compliance regulations as well. A comprehensive data security plan is required for any business operating in the cloud, and this typically requires using third-party security solutions to ensure your business meets compliance and is adequately protecting data.
Remember these two things when protecting data in the cloud:
- The security solutions offered by your cloud vendor are rarely enough to prevent a data breach.
- Just because your cloud service provider is compliant, doesn’t mean you are.
Storing data in SQL Server in the cloud presents new security challenges. Hackers or malicious users can gain access to sensitive data easily through common hacks. Easy hacking of SQL Server is a result from:
- Incorrect configuration of cloud provider’s firewall
- Attacks through weaknesses that could have been addressed by updating and patching SQL Server
- Missing or weak passwords
- social engineering and account hacking
- Lax administrative access
When it comes to securing SQL Server in the cloud, you should also always consult your legal and auditing team (or consultants) before assuming that your data is safe and you are compliant with any industry security regulations. On a general level, it’s important to include these security measures in your holistic security plan:
- Intrusion prevention
- System logging and monitoring
- Encryption & key management
- SSH in place of passwords
- Limited access to sensitive data
- Separation of duties and split knowledge when accessing encryption keys and sensitive data.
It’s important to remember that your business continuity relies on your own security plan. Regardless of the environment, when your organization experience a data breach, ultimately the responsibility is yours. Your customers, as well as your employees, rely on you to protect their data, and if you fail to do so, the consequences may include loss of customer loyalty and a severely damaged brand. The ultimate way to prevent access to sensitive data is using encryption and encryption key management.
To learn more about how Microsoft SQL Server Enterprise Edition can easily be secured in the cloud, download:
Questions and Answers on Encryption and Key Management Projects
VMware® is hands-down the virtualization choice of large and small organizations, and it is easy to see why. Not only is it a highly reliable and scalable platform, VMware also provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines.
Earlier this month, Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data on Microsoft SQL Server in VMware environments, steps to encrypting data on SQL Server (with and without TDE), as well as talk about Townsend Security’s Alliance Key Manager for VMware. Here are a few highlights (download the podcast for the whole conversation):
Paul Taylor: We’ve talked about the Townsend Security encryption and key management solutions for VMware. Today let’s put the focus on Microsoft SQL Server and encryption in the VMware customer environment. Can you give us an overview of how VMware customers can protect data in SQL Server databases?
Patrick Townsend: Just to recap, we really need two things to get encryption right: A key management solution to protect the critical encryption keys, and an encryption solution for the SQL Server database. And they have to talk to each other.
For the first part, our Alliance Key Manager for VMware solution provides a fully functional, enterprise key management solution that protects SQL Server databases as well as other databases and other operating systems.
For encrypting SQL Server, our Alliance Key Manager solution comes with a full Microsoft SQL Server Extensible Key Management Provider. We call this Key Connection for SQL Server and it is one of the modules that our key management customers receive without paying additional license fees. Key Connection for SQL Server provides the encryption and integration with our key server to provide a complete, end-to-end solution for encrypting data in the SQL Server database.
Paul Taylor: Can you talk a little about how Microsoft enables encryption in SQL Server?
Patrick Townsend: If you are running SQL Server Enterprise Edition or higher, you have access to Microsoft’s automatic, full database encryption facility called Transparent Data Encryption, or TDE. You also have access to Microsoft’s automatic, column level encryption facility which Microsoft calls Cell Level Encryption. Both of these options, TDE and Cell Level Encryption, are implemented without any programming work at all. And both are fully supported by Alliance Key Manager and the Key Connection for SQL Server software from Townsend Security.
Paul Taylor: What about Microsoft customers who aren’t using the Enterprise Edition of SQL Server? Can they encrypt their data with the Townsend Security solution?
Patrick Townsend: With SQL Server Standard and Web Editions we provide two paths to encrypt data. The first is to use SQL Views and Triggers along with our .NET DLL to provide automatic encryption without any changes to applications. And the second path is to modify your C# or Java applications to use our .NET DLL to perform encryption at the application level.
Both approaches leverage our Microsoft .NET DLLs to perform encryption with integrated key management. Both are very simple to implement. And there are no additional license fees to deploy and use our Microsoft .NET DLLs to accomplish this.
Paul Taylor: So, walk me through the steps for encrypting data in my SQL Server Enterprise Edition database. How difficult is it?
Patrick Townsend: Encrypting data in Enterprise SQL Server is really very easy. The first step is to install our Alliance Key Manager for VMware solution. It launches like any other virtual machine using the normal VMware applications and you can have a key management solution up and running very quickly.
The second step is to install the Key Connection for SQL Server application on the virtual machine running SQL Server in Windows. This is a normal install process with an MSI file. You answer some questions, install a certificate and private key in the Windows Certificate Store, and run a handful of commands to start SQL Server TDE encryption or Cell Level Encryption. You also restart the log file to be sure that it is encrypted as well. That’s about it.
Of course, you will want to follow the instructions on how to set up a high availability key server, and point your Key Connection for SQL Server configuration to it as failover. That is a normal configuration process and also very easy to do. We find that VMware customers can deploy SQL Server encryption very quickly.
Paul and Patrick also cover which versions of SQL Server are supported, the availability of Alliance Key Manager in other platforms (hint: it’s quite versatile), and our 30-day evaluation program (you can do a full proof-of-concept in your own environment at no charge). Be sure to download the podcast to hear the rest of their conversation:
Questions and Answers on VMware Encryption Projects
Every business is trying to save money and reduce complexity in their IT departments, and many are accomplishing this today by using virtual machines such as VMware®. While these businesses’ infrastructures are becoming virtual, their security threats are still very much real.
Recently Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data in VMware, encryption performance, and special encryption and key management concerns for VMware users. Here are a few highlights (download the podcast for the whole conversation):
Paul Taylor: As VMware customers start to work on encryption projects to protect sensitive data, what are the things they worry about? What concerns them?
Patrick Townsend: VMware customers have made a large investment in VMware technologies. This includes, but is not limited to, an investment in the VMware solution stack that lets them run a variety of virtual machines; administer those machines, monitor the health of the virtual environment, and secure the entire infrastructure of virtual machines and VMware itself.
VMware customers also have invested heavily in the talent needed to run a VMware data center, have adopted governance and risk management procedures specific to a VMware environment, and have invested heavily in migrating existing applications to this platform. It’s a large investment but the payoffs are substantial.
So, when approaching an encryption project the VMware customer really wants to deploy products and solutions that run naturally in VMware. It is painful and concerning to have to deploy solutions that don’t fit naturally.
Paul Taylor: I know that Townsend Security has encryption and key management solutions for VMware customers. Can you talk a little about those?
Patrick Townsend: For any encryption project there are really two major components:
- The encryption of the sensitive data, usually in a Windows or Linux virtual machine
- The protection of the encryption keys
An effective strategy in the VMware environment has to address both of these. I think we are doing this very well with our encryption solutions for VMware.
First, our Alliance Key Manager for VMware product provides for the creation, management, and protection of encryption keys in a VMware virtual machine. It runs the same FIPS 140-2 compliant key management solution that we offer in our Hardware Security Modules (HSMs). So VMware customers can get encryption key management right without having to go outside of their VMware infrastructure.
Second, all of our encryption solutions that are deployed to protect sensitive data run in the VMware platform and talk to our key manager. For example, you can deploy our SQL Server Transparent Data Encryption solution for automatic SQL Server encryption in a Windows Server virtual machine, and it will talk naturally to our key management server also running in a VMware virtual machine. It’s a perfect match for the VMware customer.
Paul Taylor: Encryption has a reputation for being the hardest part of security. How do you address that concern?
Patrick Townsend: Yes, you are certainly right about encryption having a reputation for being hard and expensive to deploy. However, things are really different today. I’ll give you a couple of examples:
First, our VMware key management solution will soon be released as a ready-to-use key manager. This means that the first time you boot our Alliance Key Manager For VMware solution it will ask you a few questions, create a complete configuration for the key manager, and start the service. You literally have a functioning key server in a few seconds. What 5 years ago required multiple engineers and weeks of installation and configuration now gets done in a blink.
Secondly, our client-side encryption applications and SDKs are also designed for rapid deployment. For example, SQL Server Transparent Data Encryption also deploys through a standard Windows install process. Again, you answer a few questions, install credentials into the Windows Certificate store, run a handful of SQL Server commands, and you are fully protected with encryption. It is incredibly easy.
Paul Taylor: I think everyone worries about performance when you talk about encryption. How well do your encryption solutions perform in VMware?
Patrick Townsend: Performance impacts are a natural thing to worry about. Encryption is a CPU intensive task, and it will have some effect on your application or database. Fortunately modern encryption libraries are very efficient and the impact is usually very modest. Back to our example about SQL Server TDE encryption, the average customer will experience about a 2% to 4% impact when activating TDE encryption. This is very manageable. Large SQL Server databases can pose a performance issue with TDE which is why we also support Cell Level encryption with SQL Server.
We always encourage our customers to try our encryption solutions before they make a full commitment. We make it very easy to do a proof-of-concept project with encryption. Our free evaluations let you take it for a spin and evaluate the impacts yourself.
Paul and Patrick also cover topics on high availability, business recovery, and compliance regulation concerns for protecting data in a VMware environment. Be sure to download the podcast to hear the rest of their conversation:
Understanding PCI Merchant Levels and how an assessment can help your business
If your business takes credit cards for payment, then you are subject to the Payment Card Industry – Data Security Standards (PCI-DSS).
Companies of all sizes must comply with PCI DSS to ensure that their customers' data is protected during the processing and transmission of credit or debit card transactions and securely stored within any internal databases. PCI categorizes businesses into different classification levels based on the number of transactions and dollar amounts they processes each year.
Level 1 – All merchants processing more than 6 million card transactions annually
Level 2 – All merchants processing between 1 million and 6 million card transactions annually
Level 3 – All merchants processing between 20,000 and 1 million card-not-present only transactions annually
Level 4 – All other merchants
Level 1 companies are most likely well versed in the annual PCI audit process as they have a certified onsite audit annually with a Qualified Security Assessor (QSA). Level 2, 3, 4 merchants are not required to hire an onsite QSA, but can have a certified Internal Security Assessor (ISA) do the PCI self assessment annually. However, a small business preparing a self-assessment to participate in their first PCI review may find it a little daunting. If you're feeling that the PCI assessment process is overwhelming and complicated, understanding this process may be the first step toward putting your mind at ease. If you are a Level 1 merchant, the PCI assessment is a process carried out by a QSA to establish whether or not a business is compliant with security standards relating to the processing of transactions made via a credit or debit card (payment card). PCI compliance assesses your business point of sale system, payment applications, and all interconnecting systems with these goals in mind: (1) to examine your system, (2) to identify vulnerabilities, and (3) to prevent data from being compromised.
It’s not a matter of “IF”, but “WHEN”
If you have already suffered a data breach, working closely to review your assessment and put data security best practices into place will provide you with a roadmap to help avoid future losses. If you have not yet been breached, undergoing an assessment and reviewing your risk tolerance can still be stressful. Understanding the process may alleviate some of that stress and help you to maximize your use of the information in the PCI DSS assessment report
How can a PCI audit help my business?
PCI compliance auditing helps businesses to ensure they are providing the most secure environment for their customers to process payments and ensures that transactions are less likely to result in a compromise in the customers' data.
Ensuring that you meet PCI compliance and have a solid infrastructure for managing data security will increase customer confidence in your business and ensure that you're not exposed to security breaches that could have been avoided.
To learn more about meeting PCI compliance requirements, download the whitepaper Meet the Challenges of PCI Compliance and find the answers to the following questions (and more):
- What will my auditor look for?
- How can I ensure my customers' data is secure?
- What is the difference between tokenization and encryption?
- What is encryption key management and why are auditors looking at this?
VMware is hands-down the virtualization choice of large and small organizations. And it is easy to see why. Not only is it a highly reliable and scalable platform, but VMware provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines. And did I mention that it totally rocks the scalability challenge?
Let’s look at how VMware customers who run Microsoft SQL Server applications can enable encryption and key management to protect sensitive data and meet compliance regulations.
We have to solve the encryption key management challenge. As we like to say around here, the hardest part of security is encryption, and the hardest part of encryption is key management. We have to store the encryption keys separate from the protected data, and use industry standard practices to protect them. With our Alliance Key Manager for VMware solution we make this problem easy to solve. Our key manager comes in a ready-to-deploy OVA format and VMware customers can just launch the key manager with standard VMware tools. Of course, there are some security best practices on how to properly deploy a security application like a key manager in VMware (see the resources section below). With Alliance Key Manager’s Ready-To-Use options you can have your VMware key management problem solved in just SECONDS.
Of course, some of our VMware customers want to protect encryption keys in traditional Hardware Security Modules (HSMs). No problem, Alliance Key Manager can be deployed as a rack-mounted HSM or as a vCloud instance.
The Second Step:
Now we want to enable encryption in SQL Server and protect the encryption keys with Alliance Key Manager. Thanks to Microsoft’s Extensible Key Management (EKM) interface, this is incredibly easy. Alliance Key Manager comes with EKM Provider software that plugs right into SQL Server to enable encryption and protect your encryption keys. We call this our Key Connection for SQL Server application and it installs on your SQL Server VMware instance using a standard MSI install process. Key Connection for SQL Server runs in all SQL Server environments including VMware, hardware, vCloud, and cloud platforms so hybrid environments are fully supported. Install the credentials, select the SQL Server instances you want to protect, answer some questions, type a few commands and you have a fully protected SQL Server database using Transparent Data Encryption (TDE). Again, this takes just minutes to accomplish.
SQL Server also supports column level encryption, which Microsoft calls Cell Level Encryption. It can provide better performance for some SQL Server databases. Yes, that’s also supported through the same Key Connection for SQL Server software.
The beauty of the Microsoft EKM architecture is that you don’t need to modify your SQL Server applications to deploy encryption. Your DBA and security team can get your data protected very quickly without a development project. Anybody got budget for that these days?
Already encrypting SQL Server but aren’t protecting your encryption key? That’s easy – you can install Key Connection for SQL Server, issue a few commands, and the problem is solved!
The Third Step:
What about high availability, business recovery, clustered configurations, and system logs? We’ve got all of that covered, too. Using the same Key Connection for SQL Server EKM Provider (did I mention that it’s free?) you can configure one or more secondary key servers that function as high availability failover servers for business recovery? Key Connection for SQL Server will automatically failover to secondary key servers if the primary key server is unavailable.
Alliance Key Manager also fits nicely into your active monitoring strategy. You can easily enable forwarding of all key access, key management, encryption, and system activity logs to your log collection server or SIEM solution.
Celebrate Victory and Do It Again!
Alliance Key Manager protects Oracle, IBM, MySQL and other databases as well as web applications and unstructured data. You get to deploy one key management solution to protect everything. And do you know how much it will cost you to do your next project? Nothing, zilch, zed, nada! Alliance Key Manager does not force you to license and pay for client-side applications.
I’ll talk more in future posts about how to protect other databases and applications in VMware environments. Stay tuned if you run SharePoint, Microsoft CRM or ERP applications, Oracle, or open source databases like MySQL and SQLite.
How Much Better Can This Get?
You can evaluate Alliance Key Manager and Key Connection for SQL Server in your own VMware environment free of charge. Just visit our Alliance Key Manager for SQL Server page and request a free 30-day evaluation.
Encryption and key management? We can get this done right!
PCI SSC Virtualization Guidelines
VMware Solution Guide for Payment Card Industry (PCI)
Securing Alliance Key Manager for VMwar
Alliance Key Manager for VMware Solution Brief
Because Hackers Don’t Take a Holiday
Companies earn my loyalty when I know they are looking out for and protecting their customers! So yes, I am truly thankful every day for data security and the encryption & key management solutions that help protect our personal information.
Michelle – Marketing
I’m grateful for all the amazing blessings I receive on a daily basis. I have a loving and healthy family, dear friends, creative and witty co-workers. I also get to work for a company that is truly focused on doing good in the world, our community, and here in the office too.
Robbi – Administration
I am thankful everyday I wake up and have the gift of another day to spend with my family, friends and doing the things I love.
Ken ~ Marketing
I am thankful for my girls! (the day we adopted our daughter and became a forever family)
Jim – Development
I am thankful for my family and friends.
Victor – Partner Operations
I am thankful for a happy and healthy family.
I’m thankful for biosynthetic insulin!
Shayna – Sales
I am thankful for my family who has always challenged me to be the best version of me. I am thankful for the family I call my coworkers for always believing in my abilities. I am thankful for my fiance for always making me feel safe and making me laugh. I am thankful for my dog Barkley who has brought me pure joy and happiness and my new puppy Lenny who we are getting for Christmas!
Sandra – Administration
I am thankful for our family cabin and the joy that it brings.
Robbn – Support
This is exactly what I am thankful for… 3 of my favorite people!
Tim – Development
I am thankful there’s always more!
James – Sales
I am grateful for my wife and daughter's love.
Luke – Marketing
I am thankful for an awesome, musical family and being able to work with an awesome company that is helping keep your and my personal information safe.
Carol – Administration
I am thankful for my family, and for working at a place where everyone feels like family!
Victoria – Support
I'm thankful for Starbucks hot chocolate.
Katie – Administration
I’m always thankful for family, friends and community!
Paul – Development
I'm thankful for the way the universe has brought me together with my father, he is 97 and an irascible old guy. But he has an unbounding love for life and an enthusiasm that is fantastic. Unfortunately his zest for living exceeds his physical abilities but to see his love for the moment is wonderful.
Patrick – CEO
I am thankful for my wonderful family, my tolerant and forgiving friends, and for the great community of employees and partners who make Townsend Security successful. Best holiday wishes to them all!
Being surrounded by loved ones, mashed potatoes, turkey, gravy, and pies has become the annual setting where Americans express their thanks each November. Instead of bottling up all that gratitude to be released on one day, let’s take time throughout the year to show our thanks, express our gratitude, and share with others!
“Not what we say about our blessings, but how we use them, is the true measure of our thanksgiving.” ― W.T. Purkiser
For many business leaders, the idea of moving to the cloud can be a daunting thing. Fear of the cloud still exists, and this fear is easily understood due to the inherent insecurities of the cloud. A shared, multi-tenant environment would never sound like a safe place to store sensitive business and customer data. The appeal of low-cost data storage clearly has trumped these fears, and today the cloud has become the de-facto platform for all small businesses and startups as well as larger corporations that are continually trying to mitigate costs and choose to use the cloud over buying new, expensive hardware that must be operated in-house.
However, movement to the cloud has not alleviated these fears, and the biggest concern with the cloud remains security. This is largely because there isn’t a standard for securing data in the cloud, and although organizations such as the Payment Card Industry (PCI) and the Cloud Security Alliance publish recommendations around protecting data in the cloud, there are no hardened rules in place for organizations to follow to help them (or make them) secure data and prevent data breaches in the cloud.
The cloud has become a paradox for business leaders desperate to cut costs and manage risk at the same time. Using the cloud to store and process data at a lower cost is an obvious choice; however, such a quick decision often precludes due diligence around risk mitigation. It leads one to ask, if it’s the CEO’s job to govern and manage risk, why isn’t she or he more aware of the risks associated with storing sensitive data in the cloud?
The answer might be this: CEOs aren’t necessarily ignoring the risk, but simply do not know how to ask the right questions in order to adequately assess risk. If they don’t know how to assess risk in a certain area of their business, then there is little way to control that risk. When dealing in a technical landscape where data breaches are the new norm, and the cost of a breach can be millions, the inability to control the risk of a data breach is a massive problem.
For CEOs and business leaders concerned about sensitive data and data breaches in the cloud, it is important to learn the basics of assessing data security risk. A good place to start is by nailing down the answers to these topics:
- Find out if the customer data your company is processing or collecting must be protected under industry data security regulations and/or state laws. You may be surprised to find out that data not listed under these regulations is now considered “sensitive” in the public eye, such as email addresses, passwords and phone numbers and should also be encrypted.
- Choose a cloud provider that will work with your compliance needs and help you mitigate risk. If applicable, choose a cloud provider that provably demonstrates commitment to security and privacy by having undergone PCI, FEDRamp, SOC or similar certifications. You may want to have the option of storing some data in a private cloud. Does your cloud provider offer this?
- Work with your compliance auditor(s) to determine if your cloud solution aligns with industry compliance requirements and best practices. At the end of the day, your auditing and legal counsel should be able to determine if you are securing data to regulations, recommendations and best practices. It is important to remember that meeting compliance is often considered a low bar and that it is typically better to do more than the bare minimum requirements.
- Document the type of data that you will be storing or processing in the cloud and which compliance regulations apply to encrypting that data. Depending on whether you are handling credit card information, financial information, patient healthcare information, or other types of sensitive data, you may fall under one or more industry data security regulations. Each set of regulations identifies what kinds data need to be encrypted
- Choose a cloud provider that will allow you to bring your own encryption key management when encrypting data. When encrypting data in the cloud, it is critical to remember that your encryption keys are your keys to the kingdom. If you store your encryption keys with your encrypted data, then anyone who gains access to that data will be able to decrypt it using the encryption keys. Some cloud providers offer key management as a service, which may be an adequate method of protecting encryption keys, but may not be preferable for organizations who want complete control over their encryption keys.
For any business leader concerned with GRC, knowing how to assess risk in the cloud is critical. Download our podcast "Encryption, Key Management, and GRC" to learn about what technologies you can implement to help mitigate a data breach or prevent one from happening altogether.
Many companies, however, do not know how they are being attacked.
Today we want to expose and explore the ways bad actors gain access to, and exploit, your sensitive data. Follow along as we look at the costs, the causes, and the preventative measures of data breaches. You can click on the info graphic to download additional resources!
Don't forget to click on the info graphic to request additional data security resources!
More Questions from the Tradeshow Floor (Part 2)
In our last blog we touched on a few of the questions asked at events we attended in November. There were so many great conversations that I’ve decided to share a few more!
With the various platforms that I can deploy an encryption key manager in, how do I know which one is right for me?
There are several factors that will come in to play when deciding where you deploy your key management:
- Compliance regulations that you need to meet can be a factor in whether you deploy an Hardware Security Module (HSM) or a cloud HSM or a virtualized instance. If you are working with an auditor or going through a QSA audit, you'll want to have a conversation with them to understand their expectation from a compliance point of view around where you deploy your encryption key manager.
- Risk tolerance will also come into play. You may have a security group within your organization with strong feelings about how to deploy encryption key management and how to mitigate risk. If you have large amounts of sensitive data to protect you might decide to deploy an HSM in your secure data center. If you're dealing with a very small amount of data and you do not process credit cards or personally identifiable information, your risk assessment may indicate a cloud deployment.
- Budget is certainly always a factor to consider. It is important to consider the cost benefits of security however, we all understand that leaving our data in the clear is no longer an option. It is a matter of understanding your industry regulations and risk assessment, then deciding what encryption and key management to deploy.
While they are generally the most secure solution, Hardware Security Modules (HSMs) can be more expensive than a virtual environment, dedicated cloud instance, or virtual private cloud. Once you look at all the factors that affect your company, we will be there with the right solution that will work for your needs.
Tell me more about all these different options you have for the Alliance Key Management Solution… are they all going to help me meet compliance requirements?
There are still our original hardware security modules (HSMs) and now there are new options for deployment of cloud-based HSMs, virtual appliances (VMware), and true cloud instances of encryption and key management in AWS and Microsoft Azure.
- Hardware Security Module (HSM) is a physical appliance or security device that is protected and tamper evident. Built for high resiliency and redundancy it has hot swappable rated disc drives, dual power supplies, dual network interfaces, and is deployed in your IT data center.
- Cloud HSM is a physical appliance hosted in a secure cloud with real-time encryption key and access policy mirroring. Dedicated HSMs are hosted in geographically dispersed data centers under an ITIL-based control environment and are independently validated for compliance against PCI DSS and SOC frameworks. No access is available to the cloud vendor or any unauthorized user.
- Virtual Appliances are the exact same key management solution - the same binary software that runs inside the hardware HSM - available as a VMware instance.
- In the Cloud - If you're running on Microsoft Windows Azure, vCloud, or in Amazon Web Services (AWS),the encryption key manager can run as a true cloud instance in a standard cloud or deploy in a virtual private cloud for added data protection for sensitive applications.
Because encryption and key management is so important, we offer all of the options listed above as NIST and FIPS 140-2 compliant solutions.
How is Alliance Key Manager Priced?
We have a wide set of options for our customers, and are dedicated to helping find affordable solutions. We have perpetual license or subscription options for classic HSMs, Cloud HSM, and virtualized environments. Our cloud offerings are true usage-based subscriptions, so if you're used to deploying in Amazon Web Services or Windows Azure, our encryption & key management solutions will fit that same strategy for pricing.
We really believe that the encryption should go everywhere you need it to go! Your key management should work across a wide set of application environments, and it must be affordable, so that we can all get where we need to be in terms of protecting sensitive data. Regardless of where your data is or what platform you are using, there's a key management solution that can work for you!
How can Encryption and Key Management improve my bottom line?
Whether you choose a designated hardware security module (HSM), something designed specifically for virtualized environments (VMware), or data storage in the cloud, encryption and key management solutions can help you:
- Gain competitive advantage and build loyalty by protecting your customers data against access by unauthorized users
- Reduce hardware costs by leveraging virtual environments in the cloud
- Significantly improve your data security strategy while satisfying data compliance and privacy requirements
Overall, data encryption offers many benefits and provides solid protection against potential threats or theft. In addition to the many benefits, encryption is also efficient, easy to use, and affordable!
What sets Townsend Security apart from other key management vendors?
We want to protect data and make sure encryption is available everywhere you need it, so at Townsend Security we have a very different philosophy and approach:
- We think that when you buy an encryption key manager, you should be able to easily deploy the solution, get all your encryption projects done properly, and have very affordable and predictable costs.
- We understand that we live in a world where budget matters to our customers, so we do not charge client-side fees.
- We know that IT resources are limited and have done a huge amount of work to make our solutions easy with out-of-the-box integrations, simplified deployments, and also provide along with our solution ready-made client-side applications, encryption libraries, source code samples, as well as SDKs for developers who need them to get their projects done very quickly.
Want to learn more about how to properly secure your data and protect your business against a data breach? Download our eBook “The Encryption Guide”:
Questions from the Tradeshow Floor (Part 1)
November was a very busy month for tradeshows, conferences, and speaking engagements for the team at Townsend Security. We love getting out to meet our current and potential customers and other than “giant Tetris”, our favorite things are the great questions we get asked at events.
What if I lose an encryption key?
While the fear of losing a key is legitimate, the keystone of a successful encryption solution is encryption key management, which is the primary solution for managing, storing, and most importantly, protecting encryption keys. Unlike a “key storage” solution, a cryptographic encryption key manager is typically a NIST FIPS 140-2 compliant hardware security module (HSM) or virtual machine in the cloud that manages key storage, creation, deletion, retrieval, rotation, and archival. Many key management solutions are also produced in pairs, with one located in a different geographical location for high availability. If doing encryption key management right, you will never lose an encryption key.
Is there more to encryption key management than just storing my encryption keys?
There is far more to encryption key management than just storing the encryption key somewhere. Generally, a key storage device only provides storage of the encryption key, and you need to create the key elsewhere. Also, just storing your encryption keys “somewhere” doesn’t work very well for compliance regulations. With an encryption key manager, there is a whole set of management capabilities and a suite of functions that provide dual control, creates separation of duties, implements two factor authentication, generates system logs, and performs audit activities, along with managing the key life cycle. Beyond storing the encryption key, a cryptographic key manager manages the entire key life cycle. Some of the most important functions the key management administrator performs are the actual creation and management of the encryption keys. The keys are generated and stored securely and then go through the full cycle to become active, go into use, expire, retire (post-activation), and then be backed up in escrow, and then deleted (the “destruction” phase). There is a very real need, and very specific compliance regulations & guidelines that require you to store and manage your encryption keys away from the data that they protect.
How easy is securing and protecting sensitive data on SharePoint?
The path to implementing encryption and key management for SharePoint is one of the most straightforward and easy paths. Townsend Security’s Alliance Encryption Key Management solution fully supports automatic encryption in SQL Server and integrates with ease. SQL Server Enterprise and higher editions (starting with 2008) fully implement extensible key management (EKM) and encryption to protect data. Installing encryption on that platform is the first step. Administrators can then leverage the automatic encryption capabilities of SQL Server with only a few commands and no application changes.
What impact does encryption have on SQL Server performance?
Encryption will always be a CPU intensive task and there will be some performance impact due to extra processing power needed for encryption and decryption. However, the Microsoft encryption libraries as well as the .NET environment are highly optimized for performance. We have always seen very good performance on SQL Server and the native encryption capabilities that it provides. Microsoft reports that Transparent Data Encryption (TDE) on SQL Server may cost you 2-4% penalty in performance, and our own tests show similar results that fall on the 2% end of things.
Is there any limit to the number of servers that I can hook up to your encryption key manager?
There are no restrictions, and no license constraints on our encryption & key management solution. We don't meter or count the number of client-side platforms that connect to our Alliance Key Manager, so you can hook up as many client side applications, servers, and processors as you need to. This is one of the things I think is different about how we approach encryption and key management with our customers. We also know the applications you are running today may not be the applications you need to be running tomorrow and we really want you to deploy encryption to all your sensitive data and scale up when & where you need it.
I am collecting data in Drupal. What data do I need to encrypt?
Organizations starting an encryption project always have this question on their minds. It is a simple question, but can be hard to answer. Generally speaking, you should encrypt any information that alone, or when combined with other information, can identify a unique, individual person. This is called Personally Identifying Information, or PII. This should be your starting point, but you may need to address other information depending on the compliance regulations you must meet.
- PCI Data Security Standard (PCI DSS) applies to anyone, public or private, who take credit cards for payment. Primary account numbers (PAN) are specifically addressed.
- HIPAA/HITECH Act requires the medical segment (and any business associate) provide data protection for protected health information (PHI) of patients.
- GLBA/FFIEC applies to the financial industry (bank, credit union, trading organization, credit reporting agency) for protecting all sensitive consumer information.
- Sarbanes-Oxley (SOX) applies to public traded companies for sensitive data of personally identifiable information (PII).
In addition to these compliance regulations, the Cloud Security Alliance (CSA) has created the Cloud Controls Matrix (CCM) specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
We encourage all developers to check out Townsend Security’s Developer Program, it allows developers to design strong and secure applications from the ground up using NIST compliant AES encryption and FIPS 140-2 compliant encryption key management.