Data Privacy Blog

Key Management Kit


webinars

podcast

 

Facebook Google+ Twitter LinkedIn

Our Blog to Your Inbox

Your email:

Posts by category

Townsend Security Data Privacy Blog

Current Articles | RSS Feed RSS Feed

The Most Frightening Data Breaches of 2014… So Far!

  
  
  
  

It’s not just “Target”… everyone has a bullseye painted on their information!

Unprotected Data is Way Scarier than this guy! Forget about vampires, werewolves, and other things that go bump in the night.  If you want to be truly frightened this Halloween, just take a look at some of the 395 data breaches reported in the first half of 2014 alone.

According to the Identity Theft Resource Center there has been a 21% increase in breaches (and that is just the ones that have already been reported to regulators) in the same period as last year.  Some of these you may be familiar with, others might surprise you:

  • eBay - online retailer
    The breach is thought to have affected the majority of the 145 million members when a database containing customer names, encrypted passwords, email addresses, physical address, phone numbers, and dates of birth was compromised.
  • Home Depot
    In a large nationwide malware attack, 56 million card records were stolen through point-of-sale systems. In a second attack in Atlanta, 20,000 employees personal information was stolen and used to open fraudulent credit cards by 3 human resource employees.
  • Michaels Stores - craft stores nationwide
    The point-of-sale (POS) systems at 54 stores were attacked using malware and up to 3 million payment card numbers and expiration dates were obtained.
  • Snapchat (online photo app and delivery service)
    4.6 million accounts were hacked and millions of images stolen. The information (phone numbers and user names) database posted online at Reddit and another site that has now been taken down.
  • Neiman Marcus (retailer)
    1.1 million payment cards were compromised over a period of 8 months as hackers repeatedly breached the point-of-sale systems through a central processing server.
  • AIG (American International Group)
    774,723 customers - The insurance provider confirmed the theft of a file server and two laptops that held personal information was by a former financial adviser.

Those are some pretty significant numbers, and most likely everyone that reads this blog has been affected in some way by at least one of these events. What we all need to remember is that cyber crime isn’t limited to “Black Hat” hackers that only go after the big piles of data.  Sometimes it is a disgruntled employee that destroys or releases sensitive data. Sometimes it is an unintentional employee error, or loss of an employee’s laptop/thumbdrive that thieves go after.  Often it is the smaller company or mid-sized Enterprise that hasn’t yet implemented security steps, like encryption and authentication, to protect their sensitive information.  

If the first list didn’t give you a fright, here is another that might make you tremble with fear. However, we would prefer if it resulted in the topic of data security brought up at your next security and risk management meeting!

Data Breaches are even more terrifying than this

University of Maryland
307,079 individuals - personal records
*Hackers broke in twice and stole data

North Dakota University
291,465 student and staff records

Sutherland Healthcare Solutions
168,000 patients
*Stolen computer equipment containing personal health & billing information

Sally Beauty Holdings (retailer)
25,000 customers lost credit card data to a hacker

Catholic Church - Archdiocese of Seattle
90,000 employees and volunteers - database records

Goodwill Industries (charitable resale)
868,000 customers from approximately 330 stores

Jimmy John’s (national sandwich shop)
*undisclosed number of customers from 216 corporate and franchised locations

Internal Revenue Service (IRS)
20,000 individuals affected
*Employee incident - loaded an unsecure drive into insecure home network

Assisted Living Concepts
43,600 current and former employees in 20 states, had their payroll files breached when the vendor’s system was hacked.

Coco-Cola
74,000 people lost unencrypted personal information to a former employee from Atlanta who stole 55 laptops. Company policy requires laptops to be encrypted, but they weren’t.

The Montana Department of Public Health and Human Services
A server holding names, addresses, dates of birth, and Social Security numbers of approximately 1.3 million people was hacked.

Spec’s - wine retailer in Texas
Affecting as many as 550,000 customers across 34 stores, hackers got away with customer names, debit/credit card details (including expiration dates and security codes), account information from paper checks, and even driver’s license numbers.

St. Joseph Health System
Also in Texas, a server was attacked that held approximately 405,000 former and current patients, employees, and beneficiaries information.  This data included names, Social Security numbers, dates of birth, medical information, addresses, and some bank account information.

The US Department of Health and Human Services has a breach database of incidents related to exposure of personal health information.  Due to late entries, dates weren’t listed, but the following were reported:

  • 25,513 records at Dept. of Medical Assistance Services in Virginia
  • 22,511 records at Cook County Health & Hospital System
  • 18,000 records at Terrell County Health Dept. in Georgia
  • 10,000 records at Health Advantage in Arkansas
  • 84,000 records at St. Francis Patient Care Services in Tulsa, OK
  • 10,024 records at Missouri Consolidated Health care

A new study from researchers at Gartner indicates that it is markedly less expensive for companies to invest in new security and encryption technologies than it is for them to respond to a data breach. According to the analyst firm, businesses pay roughly $6 per year per user for encryption tools, or $16 per user per year for intrusion prevention software licenses, versus paying out an average of $90 per user to address problems after a breach has occurred.

Five steps you can take to make sure this doesn’t happen to you:

  1. Have a defense-in-depth strategy that meets your level of risk tolerance
  2. Make sure you know where all of your sensitive data is stored, and who has access to it
  3. Use standardized encryption algorithms to make that data unreadable
  4. Use an encryption key management solution to protect keys away from the data
  5. Use two-factor authentication whenever possible, because passwords are no longer enough

To help open up the conversation around your conference table, download this eBook “Turning a Blind Eye to Data Security” and find out more about the tools & resources to begin discussions about data security in your company!

Turning a Blind Eye to Data Security eBook

Related Posts Plugin for WordPress, Blogger...

Kudos to Tim Cook and Apple Computer

  
  
  
  

"We pave the sunlit path toward justice together, brick by brick. This is my brick."

Tim Cook, Apple CEO

Today was one of the most inspiring days of my life.

Tim Cook’s beautiful and courageous and inspiring coming out as a gay person will be noted as one of the significant events of our lifetimes. In one simple act Tim Cook took Apple Computer from a company that makes wonderful things, to a wonderful company; from a company known for its ability to make stuff, to a company known for its ability to inspire and lead humanity. He blazed a path for all of us, and changed how we will relate to the LGBT community forever. It was a beautiful and courageous act in itself, and it advanced us all towards a more humane, towards a more morally sane, future.

We are all deeply in Tim Cook’s debt.

We should not forget that behind every CEO is a board of directors, and a management team, and a large group of employees. Let’s recognize that every part of Apple Computer stands behind Tim Cook today. No one works alone, or leads alone, or can succeed alone. This was truly a day for everyone at Apple Computer to be proud of.

We honor you all.

Apple didn’t invent cool, but under Steve Jobs they came to make the most cool stuff. And they appropriated coolness as a part of their brand. Now, for the first time, with Tim Cook’s leadership, they really ARE cool.

It’s not what you make, it’s who you are.

Good Lord, for the first time in a long time I just want to buy something that Apple makes.

Well done Tim Cook, and well done everyone at Apple! This day belongs to you.

Patrick

Related Posts Plugin for WordPress, Blogger...
Tags: 

Protecting Sensitive Data in Amazon Web Services

  
  
  
  

Best Practices for Deploying a Key Manager in AWS

Cloud Security With Encryption Key Management in AWSThe cloud has transformed the way most industries manage their data. With services that offer cost-effective, scalable, “pay-as-you-go” options, it is increasingly rare to find a company that doesn’t want to migrate business-critical applications from an in-house data center to the cloud. Companies will make different decisions based on industry risk assessment, their own tolerance for risk, and compliance regulations, however, some Enterprises have been holding back on their migration to the cloud until comfortable that they can properly protect their most vital information. Data security was a concern when we had a fully controlled hardware environment, and now that we are moving to shared, multi-tenant virtual environments it has become even more critical.

Data encryption has had a reputation of being the hardest security measure to achieve and yet it is the best way to secure digital information that needs protection. One of the most important elements of encryption is using encryption key management best practices to keep the encryption keys safely stored away from the data they protect. An Enterprise key management solution will also provide dual control, separation of duties, and proper rotation of encryption keys to ensure that you (and only you) control, manage, and have access to your encryption keys and the data they protect.

Encrypting Data in AWS

Any cloud platform brings with it an additional set of security concerns, including the ability to implement and demonstrate regulatory compliance, as applications and services move into the cloud. Whether Enterprises bring their own applications and operating systems into the AWS cloud, or use the variety of options and rich set of services supplied by Amazon, lets take a look at ways data can be encrypted and the use of appropriate technologies to protect those vital encryption keys.

Virtual machine migration:  Probably the most typical cloud deployment involves IaaS (infrastructure as a service) where the operating system, database, and everything is contained with an application. By using industry standard encryption and key management,  vulnerabilities are significantly reduced and organizations are able to enforce compliance requirements.

Data storage options: Whether you are encrypting an entire database, or using column-level encryption for a more granular approach, you have options for database (data-at-rest) encryption.

Amazon Relational Database Service (RDS) While RDS does not support encryption key retrieval and on device encryption services internally, it does to make it easy for applications to encrypt data going into and out of the RDS. You can retrieve encryption keys for application-level encryption or use on-device encryption before writing to, or reading data from, the RDS.

Amazon Simple Storage Service (S3) is very popular for video, audio, and large files now with server-side customer supplied encryption and key management support. Each file can have it’s own encryption key, or you can use the same key to encrypt multiple files. With recent enhancements by Amazon, you can easily “bring your own key” and integrate a key manager to encrypt data being stored in S3 and decrypt data that is retrieved from S3 storage.

Amazon Elastic Block Storage (EBS) is available for any virtual machine running in an Amazon context to retrieve encryption keys and encrypt data in very straightforward application environment.

Choosing an Encryption Key Management Solution

Make sure your key management solution provides a rich set of SDKs and client-side libraries all of which run in cloud platforms and can be used through all of the storage services that Amazon provides. You should be able to choose to host the key manager in the AWS cloud as an Amazon Machine Instance (AMI), or in a hosted cloud HSM (which is gives you a dedicated HSM in a SOC 3 audited data center with a PCI DSS letter of attestation for compliance) or within a physical HSM under your full control within your own data center. Look for a key manager solution that runs exactly the same way in all of these environments, and ensures that you maintain ownership of your encryption keys at all times. So if you deploy in one location and then need to migrate, you can easily store your data in the appropriate locations. Also, using industry standard encryption and certified solutions for key management are critically important for meeting compliance regulations and following security best practices. Using a third party Cloud HSM gives you the assurance that your encryption keys are kept safely apart from your sensitive data. It is very important to make sure no one else has administrative access, because above all, encryption keys are the secret that must be protected within your encryption strategy.

With options for fee-based encryption key management services, as well as bring-your-own-license solutions, Townsend Security's Alliance Key Manager (AKM) for AWS allows Enterprises to properly manage their encryption keys while meeting security requirements in less time and at a lower cost. While it is not possible to perform FIPS 140-2 validation in a cloud service provider context, Alliance Key Manager uses the same FIPS 140-2 compliant key management technology available in Townsend Security's HSM and in use by over 3,000 customers worldwide. Alliance Key Manager for AWS provides full life-cycle management of encryption keys for a wide variety of applications to help organizations meet PCI DSS, HIPAA, and PII compliance at an affordable price.

To learn more about protecting your data in AWS, download this recent podcast by industry expert Patrick Townsend:

Encrypting Data in AWS

Related Posts Plugin for WordPress, Blogger...

5 Ways CEOs Can Limit Liability, Manage Risk with Encryption

  
  
  
  

Recently I traveled to Los Angeles to speak at a NetDiligence Cyber Risk and Liability conference on a panel focusing on technology to mitigate risk. I was eager to attend and speak at this conference since the area of data breach clean-up is a field that I rarely come in contact with. In our organization, we spend much of our time consulting with companies who are attempting to prevent a data breach or meet compliance by implementing encryption and key management technology, and rarely are we involved in any post-breach scenarios involving breach forensics, insurance payouts, or litigation.

encryption, key management, grc, governance, risk, compliance It is common knowledge, however, that for attorneys who wish to help limit their client’s liability when it comes to data breaches (and also make litigation easier should a data breach occur), advising them on processes and technologies that will mitigate risk and liability is essential.

From speaking to attorneys who attended this conference, this is what I learned: Executives don’t treat their data as an asset that needs to be protected as a part of governance and risk mitigation. This is a pervasive issue that is exemplified in highly publicized data breaches that seem to occur on a weekly basis. Negligence around data protection, I believe, simply stems from a lack of education. Twenty or 30 years ago, when most enterprise executives were in business school, governance of sensitive, electronic data was not taught, simply because the issue didn’t exist. Today, protecting data as a method of risk management is an entirely new field. Unfortunately, as data breaches become more and more serious, business leaders can no longer avoid the issue or fall back on an “I’ll just pay the fine” mentality, which is woefully inadequate since the cost of a data breach extends far beyond fines to respective governing industry regulators. The cost of a breach includes fines, brand damage, loss of customer loyalty, litigation, credit report monitoring for affected customers, and even job loss. Executives should take a note from the ex-CEO of Target to learn how a data breach reflects on leadership (or lack-there-of).

In the face of never-ending data breaches and an entire industry based on hacking complex networks, the question now becomes, how can executives effectively mitigate cyber risk and liability using technology?

1. Accept data is a critical part of governance, risk management, and compliance

Imagine a CEO walks into a room with his or her board of directors and says, “I’m going to cancel our errors and omissions insurance.” Any director would be terrified and livid to hear their CEO say such a thing, and likely begin to doubt his or her ability to govern. However, in a similar situation, if a CEO said, “I don’t think we’re going to encrypt our customers’ sensitive data this year,” historically no one would have blinked an eye. This is changing. The cost of a data breach has skyrocketed to a point where ignoring the risk of unprotected sensitive data is considered negligence. Executives need to understand that not encrypting sensitive data reflects on their ability to govern.

2. Know what data is considered “sensitive” and needs to be protected

Sometimes business leaders aren’t even sure which data needs to be encrypted. Overall, it is common knowledge that data such as credit card numbers and social security numbers need to be encrypted, especially under payment card and financial regulations such as PCI-DSS and GLBA/FFIEC; however, loyalty data such as email addresses, passwords, and phone numbers are considered sensitive and should be protected. Hackers are great aggregators and can derive very sensitive data from this kind of information. The recent JP Morgan Chase breach is a good example of a breach of customer data that landed a business in hot water. Executives need to examine which regulations they fall under, as well as consider what is now considered sensitive (even though it may not be listed as “sensitive” under regulation), and encrypt that data.

3. Learn to ask the right questions

Executives have learned to ask the right kinds of detailed questions to ensure their financial and business processes are limiting risk, but they still haven’t learned to ask the same kinds of detailed questions about their data security. In fact, it’s common for a CEO to simply ask their security or IT department, “are we secure”? Unfortunately, vague questions such as this get vague answers. While business leaders should work with a qualified security auditor to determine what kinds of questions they need to be asking their IT security team, here are a few examples that might be helpful:

Can I get an itemized list of all of the locations of our sensitive data, and the specific method in which we are protecting those sets of data?

Are we transferring sensitive data across networks? How are we encrypting that data?

Are we encrypting our data at rest? If so, are we using industry standard methods such as NIST AES encryption or RSA encryption?

How are we managing our encryption keys? Are they located in a secure, FIPS 140-2 compliant encryption key manager?

4. Know the limits of your technology

Assuming a certain amount of risk is common when that risk can’t be avoided. Unfortunately, it’s not very pleasant to realize you’ve assumed risk that you are unaware of. Many large retailers have been experiencing this recently with data breaches occurring in their point-of-sale systems. Understanding the limits of the technology you use is critical to preventing data breaches. Many organizations still rely on firewalls, strong passwords, and intrusion prevention software alone to protect sensitive data. These methods are certainly a component of a data security strategy, but they have limits, and are inadequate to protect sensitive data. Industry regulators know this which is why data security regulations require if not strongly recommend the use of encryption and encryption key management.

5. Encrypt data everywhere, including in the cloud

The internal network of any businesses can be incredibly complex. With many points of entry in many departments, a network can be easily breached. Encryption and key management are defense-in-depth technologies used to stop data breaches before they happen. Since data moves across multiple applications and networks, in every location where that data moves or stays it needs to be encrypted. Any sensitive data processed or stored in the cloud should always be considered in danger of greater risk, due to the inherent insecurities of a multi-tenant cloud solution. Assume that any holes in your encryption strategy will attract a breach.

Managing risk by implementing the right technologies is critical to mitigating the effects of a data breach. To learn more about encryption and risk mitigation, download the podcast, “Encryption, Key Management, and GRC: Technology to Mitigate Risk

encryption, key, management, grc

Related Posts Plugin for WordPress, Blogger...

Three Cyber Crimes That Can Cripple You, and How to Prevent Them

  
  
  
  

cyber security monthOctober is National Cyber Security Awareness Month. With so much being in the news with The Home Depot, Target, and the plethora of continued phishing and email scams - we wanted to bring a few vulnerabilities to light to remind everyone of cyber security best practices. Now keep in mind, cyber crimes are wide and varied, so covering all of them would be a monumental task. We just want to take the time to highlight three in order to get you moving toward a more secure posture. First up, The Debt Elimination Scam:

Debt Elimination

The “Its Too Good To Be True” Scheme
The Bad Actor: Seemingly legitimate websites that promote a virtually unknown but "legal" way to eliminate your mortgage loan or credit card debt.
The Pitch: For only about $2K, these "trained professionals" will eliminate your debt on your behalf. You don't have to lift a finger!
The Hook: In order for these honest folk to act on your behalf, you will need to give them all the particulars of your debt plus sign a power of attorney document authorizing them to enter into financial transactions on your behalf.
The Sinker: Once you have given them this information, you are only seconds away from them stealing your identity and racking up additional debt.

What You Can Do:

  • Only deal with businesses that you verify:
    • Do your research, make sure they have a physical address
    • Do they have a telephone number that you can call
  • Go online to the Better Business Bureau in your area:
    • Check their rating with the BBB
    • Check how long they have been in business
    • Do they have any outstanding issues with customers
  • Do not deal with anyone outside the U.S.
  • Do not deal with companies with only a P.O. Box
  • If it sounds too good to be true, it probably is.

To learn more about online or email scams, please visit: http://www.fbi.gov/scams-safety/fraud/internet_fraud

Malware

Death by Web or Email
Data SecurityThe Definition: Short for malicious software, it is used to either take down a computer, gain access by an unwanted party, or scrape data without your knowledge.
The Bad Actor: This can be anyone with ill intent. You can have anyone from your run-of-the-mill hacker, to corporate spy, to governmental intruder.
How They Gain Access: Normally this is done in two ways, email or web surfing. For emails, they commonly want you to download a picture or click a link - because either of those actions can contain a secret action of downloading the malware. Similarly, websites are constructed with links that will download malware with only one click.
What Do They Want: They may want to take down your computer with a virus, hold your data for ransom, steal your data, or spy on you.

What Can You Do:

  • Install anti-virus and anti-malware software and keep it up to data
  • Regularly scan your computer for malicious software
  • Immediately send all emails that you do not trust to the spam folder
  • Immediately surf away from websites that you think are suspicious or spammy

For this one, look no further than good ol' Wikipedia for more info: http://en.wikipedia.org/wiki/Malware

Thumbsucking

Cyber Security

Keep it Secret, Keep it Safe
The Definition: I know, this seems like a problem for toddlers, but this is a real issue for businesses as well. Thumbsucking is when someone uses a USB portable drive or "thumb drive" to download data without the data owner's consent.
The Bad Actor: This can be anyone from a corrupt office worker to an unwanted visitor to the business.
How They Gain Access: Since most USB ports are on the inside of firewalls and passwords, gaining access is only one connection away.
What Do They Want: They want your sensitive data. Anything that could be sold in the criminal underground or to a rival business is up for grabs.

What Can You Do:

  • Encrypt all sensitive data
  • Use proper key management for your encryption
  • Set clear policies for which devices are allowed in critical areas of the business
  • Have strict permissions as to who can access the data: 
    • Protect via password
    • Use two factor authentication

To learn more about the threats of thumbsucking, head on over to: http://www.csoonline.com/article/2119244/identity-theft-prevention/the-thumb-sucking-threat.html

What Should You Be Thinking Right Now
The threat landscape is changing. As the honest business and consumer becomes more tech savvy, so does the criminal. To paraphrase the oft-used quote, "eternal vigilance is the price of online freedom." More productivity and possibilities come with more risk. So follow these rules:

When is comes to online offers: If it is too good to be true, then probably it is.
When it comes to malware: Trust your gut, if it smells fishy, throw it back in the sea, quickly.
When it comes to data theft: Encrypt, encrypt, encrypt.

A special thanks to our friends at SingleHop for helping raising awareness about NCSAM.

eBook: Overcome Encryption Key Management Fears

Related Posts Plugin for WordPress, Blogger...
Tags: 

Homomorphic Encryption is Cool, and You Should NOT Use It

  
  
  
  

The academic cryptographic community has been very inventive lately and we are seeing some promising new encryption technologies start to emerge. Format preserving encryption is moving through a standards track at the National Institute of Standards and Technology (NIST) and I think we will see one or more of the proposed FFX modes of encryption achieve standards status soon.

eBook The Encryption Guide Homomorphic encryption is also a promising encryption approach that allows for various operations on encrypted (ciphertext) values without having to first decrypt the value. That’s pretty cool. There are a number of cryptographers working on approaches to homomorphic encryption, but at this point there is no clear consensus on the right approach. I suspect that some consensus on the best approach will emerge, but it may take some time for this to happen. Cryptography is hard, and it needs time for proper examination and analysis of both mathematical and implementation strengths and weaknesses before its adoption in commercial systems. We need to give the cryptographic community time to do their work.

If homomorphic encryption is cool, why not use it?

It has not achieved wide review and acceptance
While there is promising work on homomorphic encryption, there is no clear consensus on the best method or implementation approach. Typically a new cryptographic method will not get a full review from the cryptographic community until there is some consensus, and not until a standards body takes up the new method in a formal review process. There are a large number of potentially good encryption methods that have been thoroughly reviewed by the professional cryptographic community but which have not achieved the status of an approved standard.

Homomorphic encryption has not yet been through this process and it is too early to trust any current proposals or implementations.

It is not a standard
Standards are important in the encryption world. Standard encryption algorithms receive the full scrutiny of the professional cryptographic community and we all benefit from this. Weaknesses are discovered much faster, weak implementations are identified, and we all have much more confidence in encryption based on standards. The Advanced Encryption Standard (AES) has stood the test of time since its adoption by NIST in 2001.

Homomorphic encryption has not yet achieved the status of an accepted and published standard.

Note: Mathematical proofs do not a standard make. They are required as a part of the standards review and adoption process, but mathematical proofs alone do not rise to a level of an accepted standard. Claims to the contrary are false.

It cannot be certified by a standards body
Since homomorphic encryption is not a standard, there is no independent standards body process to validate a vendor’s implementation. This is important - in an early study by NIST of encryption solutions submitted for validation, nearly 37% of the solutions contained errors in the implementation and failed validation. The failure rate for implementations of homomorphic encryption are likely as high and unknowable. All serious vendors of encryption technology have validated their AES implementations to FIPS 197 standard through the NIST AES validation process.

No such similar standards validation process exists for homographic encryption.

It cannot achieve FIPS 140-2 validation
Encryption key management solutions are cryptographic modules and can be validated to the FIPS 140-2 standard. NIST has established a validation process through a number of chartered test labs. All serious vendors of encryption and key management solutions validate their products through this process. One of the first steps in key management FIPS 140-2 validation is validation of the encryption methods used by the key manager. The approved encryption methods are documented in Annex A of FIPS 140-2.

Homomorphic encryption is not an approved encryption method and cannot be validated to FIPS 140-2 at this point. Any representation that homomorphic encryption or key management systems implemented with it are “FIPS 140-2 compliant” is false.

Intellectual property claims are not resolved
Organizations large and small are rightfully concerned about violating patents and other intellectual property claims on information technology. At the present time there are multiple vendors claiming patents on homomorphic encryption techniques. Most encryption methods that have been adopted as standards are free of these types of IP claims, but homomorphic encryption is not free of them.

Organizations would be wise to be cautious about deploying homomorphic encryption until the patent and intellectual property issues are clearer.

Compliance regulations prohibit its use
Many compliance regulations such as PCI-DSS, HIPAA/HITECH, FISMA, and others are clear that only encryption based on industry standards meet minimal requirements. Standards bodies such as NIST, ISO, and ANSI have published standards for a variety of encryption methods including the Advanced Encryption Standard (AES).

Homomorphic encryption is not a standard and it is difficult to imagine that it could meet the minimum requirements of these and other compliance regulations.

Summary
Homomorphic encryption is a promising new cryptographic method and I hope that we will continue to see the cryptographic community work on it, and that we will see its future adoption by standards bodies with a proper validation processes. We just aren’t there yet.

The Encryption Guide eBook

Related Posts Plugin for WordPress, Blogger...

Why Encrypt Data in Your Drupal Websites?

  
  
  
  

The internet has become a portal for the transmission and storage of sensitive data. Most websites today gather information from potential or current customers, clients, and users. From credit card numbers to email addresses and passwords, few websites exist today that don’t collect some sort of personal data. Therefore, website developers are becoming more and more interested in learning how to build websites that can easily encrypt sensitive data that their client’s website may be collecting. Drupal Developer Program

Encryption isn’t as widely used at the application and module level in websites as it probably should be. Protecting sensitive data using strong encryption from the moment a website accepts a customer’s information, and throughout transmission and storage of that data is the only method to ensure that data is never compromised. This is critical for websites using commerce modules or forms that collect a person’s health information, financial information, or other personally identifiable information (PII); and for businesses who wish to avoid a data breach.

As Drupal grows and more Drupal developers are beginning to interact with larger clients, the need to provide strong security to those businesses grows as well. The need for encryption will continue to grow as potential clients ask Drupal developers for standards-based security solutions that will help them meet compliance regulations and mitigate risk.

  • Government websites, for example, will need to pass FISMA regulations around encryption.
  • Large retail websites will need to pass Payment Card Industry Data Security Standards (PCI DSS).
  • Colleges and Universities have multiple compliance requirements, as well as FERPA, to adhere with.

Helping clients meet compliance regulations will also require, in some cases, the need for encryption key management. Historically, developers only had three choices for encryption key storage: they could store the key in a file protected on the server, in the Drupal database, or in Drupal’s settings file. None of these options are secure, and would not meet several compliance regulations and general security best practices.

Encryption key management is more than a “key storage” solution. An encryption key manager protects encryption keys on a separate server (located in the cloud or as a physical Hardware Security Module (HSM) or in a (VMware) virtual environment) that implements control layers such as dual control and separation of duties. An encryption key manager manages encryption key creation, deletion, lifecycle, rollover, and archival. Key managers that are FIPS 140-2 compliant have undergone NIST validation and are based on industry standards. Choosing an encryption and key management solution based on standards will ensure your solution will stand up to scrutiny in the event of a breach.

If you are a Drupal developer, you can now join the Townsend Security Drupal Developer Program, work with our encryption and key management technology free of charge, and learn how to secure sensitive data in Drupal for your clients concerned with security.

Using Key Connection for Drupal, the first encryption & encryption key management module, Drupal developers can now build NIST compliant AES encryption and FIPS 140-2 compliant encryption key management into their Drupal websites.  

Just click below to sign up:

Developer Program Encryption  

Related Posts Plugin for WordPress, Blogger...

Are You Turning a Blind Eye to Data Security in Your Business?

  
  
  
  

It seems like everyday there is a new data breach in the news.

eBook Turning a Blind Eye to Data Security From malicious hackers to unintentional employee mistakes, loss of sensitive data is skyrocketing. Risk management has brought the data breach issue out of the IT department, and into the offices of Enterprise executives. Data loss is considered such a critical issue that encryption and encryption key management is mandated not only by many industry compliance regulations, but also by most state and governmental laws.

Here are a few key thoughts to consider:

5 Misconceptions About Data Security That Put You At Risk

1   If we have a breach, we’ll just pay the fine.

In many cases there will be fines for a data breach, but it is only a small part of the total cost. The cost of a breach also typically includes a forensics investigation, credit monitoring for customers, lost sales due to brand damage, and litigation costs.

2   We’ve never had a problem, so things are probably OK.

This type of thinking is not a form of risk assessment. Since data breaches often take months to discover, you may not know that a breach has already occurred. Wishful thinking won’t help you prevent a breach.

3   My software vendors and consultants say they have everything under control.

Today, many software vendors have not moved quickly enough to add encryption to their core products. It is not wise to rely on vague statements about data security from vendors and consultants. Make sure their solutions have been through a NIST FIPS 140-2 validation, using best practices, and based on industry standards such as AES.

4   My IT staff says we’ve done everything we can.

IT departments may not have the resources or management directives they need to accurately assess and address data security issues. Meeting management’s goals and objectives within a set of operational and budgetary constraints is not the same as meeting security best practices.

5   We are encrypting our data, we are doing everything we should.

If you are encrypting your sensitive data, you’ve already made a good step forward. Do you know how and where your encryption keys are stored? Making sure your keys are not stored with your data is only the first step.  Good key management practices will truly protect your data.

5 Steps to Take to Reduce Security Risk

1   Talk About It

Discuss the importance of data security as it relates to risk management with all members of the organization’s leadership team. Data security is an ongoing process that involves every member of the organization, and will extend beyond your organization’s boundaries to vendors and service providers. Responsibility for data security belongs to everyone.

2   Assess Your Current Data Security Posture

If you have not had an external audit and assessment of your organization’s data security practices by a qualified security professional, now is the time to start. First, perform a data security assessment with an in-house consultant, security audit firm, or platform vendor to evaluate your current security posture. Find the location of all sensitive data. Lastly, evaluate the security of your backup tapes. The right security assessor will help you identify the most urgent problems, and help you prioritize your efforts.    

3   Invest in Encryption and Key Management

When you have located sensitive data that is not encrypted, start a project to encrypt it now. Don’t forget to invest in the necessary encryption key management devices to protect the encryption keys. If your risk assessment warrants, provide budgetary exceptions to address the problem. Invest where you need to, as soon as you can. When choosing an encryption and key management solution make sure it uses industry standard NIST compliant encryption and FIPS 140-2 compliant key management.

4   Strengthen your technology acquisition processes

Every organization relies on off-the-shelf software solutions to manage and run their business operations. If your core applications do not provide encryption and key management to protect data, put your vendors on notice that they must address this issue immediately, and ask for updates. All new technology acquisitions should incorporate data security requirements into the RFP process.

5   Create ongoing review processes and procedural controls

Performing one security assessment or passing one compliance audit will not provide the focus and attention needed to protect you from a data breach over time. You must conduct routine vulnerability scans, create new processes, and review points within the organization to ensure that you continue to monitor your security stance. Use good procedural controls to minimize the chances of fraud. Implement Dual Control and Separation of Duties to achieve a defensible data security stance.

To learn more, download the eBook, "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication Between CEOs and CIOs", and authors Kevin Beaver, CISSP, Patrick Townsend, and Todd Ostrander will teach you about:

  • Business risks associated with unprotected sensitive data 
  • Tools and resources to begin the discussion about data security in your company 
  • Actionable steps YOU can take

Download the ebook today!  

Turning a Blind Eye to Data Security eBook

Related Posts Plugin for WordPress, Blogger...

Want to Get Bigger Clients? Give Them Encryption & They Will Come

  
  
  
  

Businesses leaders are becoming more and more scared of an impending data breach. Most IT security professionals agree that a data breach is no longer a matter of “if” but “when”. While major enterprises are now scrambling to implement strong encryption and encryption key management to protect customer data, for many companies, like Target and Home Depot, these efforts are too little too late.

Drupal Developer Program These medium to large enterprise-sized businesses are now holding their vendors and partners to a higher security standard. As a B2B organization that would like to onboard these larger clients, you should consider learning how to implement strong data security into your hardware, software, and cloud applications.

Encryption is one of the best-kept secrets of companies that have prevented or mitigated the consequences of a data breach. Because encryption renders data unreadable, any unauthorized access to that data is useless to the person who sees it. If the encryption key is adequately protected and not discovered by the intruder, then there is no way to decrypt the data and the breach has been secured. Encryption and encryption key management are the most defensible technologies for data breach protection.

Today encryption and encryption key management is as easy as launching an AMI in Amazon Web Services (AWS) in just a few minutes. Developers can now launch Townsend Security’s key manager, Alliance Key Manager (AKM), in AWS, Microsoft Azure, or VMware and receive up to two free licenses to develop and test encryption and key management in their applications. Alliance Key Manager is FIPS 140-2 compliant and provides NIST compliant AES encryption services so that encryption keys never leave the key server.

Businesses are not only concerned with risk management. Meeting compliance using standards-based solutions is also a critical piece to building defensible data security. Especially for government organizations that must comply with FISMA, many CIOs and CTOs won’t even consider an encryption or key management solution that hasn’t undergone NIST certification.

The importance of NIST compliance is far-reaching. Implementing a solution that meets an industry standard means that your solution will stand up to scrutiny in the event of a breach. NIST compliant encryption and key management have been tested against accepted standards for cryptographic modules and are routinely tested for weaknesses. Can meeting compliance regulations still be a low bar? Of course, but following standards and then implementing accepted best practices is the only way to meet compliance and achieve the highest levels of security.

With the Townsend Security Developer Program, you can develop applications that not only meet compliance but exceed them to give your clients the highest levels of security, you can win enterprise clients that you haven’t been able to work with before, and gain access to a host of Townsend Security APIs that have been designed for easy integration into new development projects.

Language libraries we provide for Alliance Key Manager include: Java, C/C++, Windows .NET application source code, Perl, and Python. Also available are client side applications for SQL Server and Drupal CMS.

To learn more and to join our Developer Program, click here.

Developer Program Encryption

Related Posts Plugin for WordPress, Blogger...

How To Meet PCI DSS Compliance With VMware

  
  
  
  

Take the right steps to meet compliance in a virtualized environment

VMware encryption key management With executives looking to conserve resources by moving their organizations databases and IT environments to virtualized platforms and to the cloud, there are concerns around virtualized environments. Security best practices and compliance regulations call for sensitive data to be protected with encryption and that data-encrypting keys (DEK) be physically or logically separated from the sensitive data and protected with strong key-encrypting keys (KEK). Depending on what type of information is being stored and what industry guidance your project/company falls under, compliance regulations in addition to PCI DSS may apply.

The Payment Card Industry Data Security Standard (PCI DSS) is one of the most rigorous and specific set of standards established to date and is used by many organizations as a standard to secure their systems. PCI DSS applies to all organizations that store, process, or transmit cardholder data, regardless of volume. This includes merchants, service providers, payment gateways, data centers, and outsourced service providers.

Here is a high level look at all twelve items that must be met in order to be compliant, with three new requirements in PCI DSS 3.0 (**) that warrant mentioning as being most relevant to the use of VMware and cloud technologies in a PCI-regulated infrastructure:

Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data


(3.0) **Req. 1.1.3: "[Maintain a] current diagram that shows all cardholder data flows across systems and networks."

Requirement 2: Do Not use vendor-supplied defaults for system passwords and other security parameters

(3.0)** Req. 2.4: "Maintain an inventory of system components that are in scope for PCI DSS."

Protect Cardholder Data

Requirement 3: Protect stored cardholder data*


* Requirement 3 specifically addresses the need for encryption and key management, stating:

“Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.”

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs


Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know


Requirement 8: Identify and authenticate access to system components


Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data


Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that address information security for all personnel

(3.0) ** Req. 12.8.5: "Maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity."

It can seem overwhelming at first, but the PCI Security Standards Council (PCI SSC) website contains this documentation along with a number of additional resources to assist organizations with their PCI DSS assessments and validations. Within the latest documentation by the PCI Security Standards Council (v3.0 released November 2013) specific testing procedures and guidance is given for Requirement 3 on pages 34-43.

Fortunately, there are also standards and published guidance on running payment applications in a virtualized environment:

Payment Card Industry Data Security Standard: Virtualization Guidelines and Cloud Computing Guidelines

NIST SP 800-144: Guidelines on Security and Privacy in Cloud Computing

Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing

While virtual technology is not limited to VMware, it is one of the most commonly used and supported architectures by many cloud service providers. In addition to the PCI compliance and cloud guidelines above, VMware worked with CoalFire, a QSA auditing firm, to create guidance on how to specifically deploy payment applications in a VMware environment. You can access the CoalFire document from the VMware website here.

As platform virtualization becomes a more popular solution, executives need to remain vigilant with their data security and meeting compliance requirements. We can help make the transition to VMware easy with our Alliance Key Manager for VMware solution, which meets the PCI recommendations when deployed properly in a VMware environment. We are committed to helping businesses protect sensitive data with industry standard NIST compliant AES encryption and FIPS 140-2 compliant encryption key management solutions.


To learn more about enterprise key management for VMware and vCloud, download our podcast "Virtualized Encryption Key Management".

Podcast: Virtualized Encryption Key Management
  Related Posts Plugin for WordPress, Blogger...
All Posts