ENCRYPTION KEY MANAGEMENT SIMPLIFIED

ENCRYPTION

KEY MANAGEMENT

SIMPLIFIED

A BEGINNER’S

GUIDE TO

ENCRYPTION KEY

MANAGEMENT

2

IS THIS eBOOK RIGHT FOR ME? Not sure if this is the right eBook for you? Check the following qualifications to

make sure this eBook will get you the right information:

YOUR COMPANY MUST MEET COMPLIANCE REGULATIONS

AND PASS DATA SECURITY AUDITS

YOU ARE STARTING AN ENCRYPTION PROJECT AND WANT

TO LEARN MORE ABOUT ENCRYPTION KEY MANAGEMENT

YOU ARE ALREADY ENCRYPTING BUT ARE NOT SURE IF

YOU ARE USING KEY MANAGEMENT BEST PRACTICES

CONTENTS

3

WHAT IS ENCRYPTION KEY MANAGEMENT? /4

KEY MANAGEMENT BEST PRACTICES /5

IMPORTANT CERTIFICATIONS /7

MEET COMPLIANCE REQUIREMENTS /8

KEY MANAGEMENT FOR EVERY PLATFORM /11

ABOUT TOWNSEND SECURITY /15

1

2

3

4

5

6

4

WHAT IS ENCRYPTION KEY

MANAGEMENT?

The most important part of a data encryption strategy is the protection of the

encryption keys you use. Encryption keys are the real secret that protects your data,

and key management is the special province of security companies who create

encryption key hardware security modules (HSMs) for this purpose. These systems

are a combination of hardware and software specifically designed to create and

manage encryption keys, and to restrict their use to authorized users and

applications. Key management HSMs also incorporate a variety of security

techniques to thwart unauthorized access, report on suspicious system activity, and

mirror critical information to backup servers for high availability.

WATCH THIS BRIEF VIDEO FEATUREING DATA PRIVACY

EXPERT PATRICK TOWNSEND TO FIND OUT IF YOU

SHOULD BE USING ENCRYPTION KEY MANAGEMENT

TO PROTECT YOUR DATA.

WHAT IS

ENCRYPTION

KEY

MANAGEMENT?

5

KEY MANAGEMENT BEST PRACTICES

Because encryption key management is crucial to data protection the National

Institute of Standards and Technology (NIST) provides guidelines on best practices

for key management and a cryptographic module certification program.

The NIST Special Publication SP-800-57 provides recommendations for encryption

key management. Additionally, NIST Publishes standards for cryptographic systems

in the Federal Information Processing Standards 140-2 (FIPS 140-2). Key

Management vendors can have their solutions certified by NIST to the FIPS 140-2

standard, and this certification is required for Federal agencies.

These best practices are recognized by federal and industry standards as critical

steps to building a strong encryption and key management solution.

Dual Control means that no one person should be able to manage

your encryption keys. Creating, distributing, and defining access

controls should require at least two individuals working together to

accomplish the task.

Separation of Duties means that different people should control

different aspects of your key management strategy. This is the old

adage “don’t put your eggs in one basket.” The person who creates

and manages the keys should not have access to the data they

protect. And, the person with access to protected data, should not be

able to manage encryption keys.

Split Knowledge applies to the manual generation of encryption

keys, or at any point where encryption keys are available in the

clear. More than one person should be required to constitute or re-

constitute a key in this situation.

1

2

3

6

KEY MANAGEMENT BEST PRACTICES

WHAT ARE THE PRACTICAL IMPLICATIONS OF THESE

BEST PRACTICES AND CORE CONCEPTS?

The practical implications of these best practices fall to the system

administrators. On all major operating systems such as Linux,

Windows, and IBM i (AS/400) there is one individual who has the

authority to manage all processes and files on the system. This is

the Administrator on Windows, the root user on Linux and UNIX,

and the security officer on the IBM i platform. In fact, there are

usually multiple people who have this level of authority.

When there are so many authorized users and no protection of

keys, the data is at a very high risk. That’s why storing encryption

keys on the same system where the protected data resides violates

all of the core principles of data protection, and that’s why we are

seeing auditors and payment networks reject this approach.

Q WHY IS INTEGRATED KEY MANAGEMENT A

BEST PRACTICE ‘RED FLAG’?

‘Integrated key management’ is a term of art that refers to storing an

encryption key on the same platform where the encrypted data is

stored. It is impossible to use key management best practices when

you are storing encryption keys with the encrypted data, and doing this

also makes it impossible to meet some compliance requirements such

as PCI-DSS Section 3. Dual control, separation of duties, and split

knowledge can only be achieved using an external key manager HSM.

Q

7

IMPORTANT CERTIFICATIONS

The National Institute of Standards and Technology (NIST) issues non-military

government standards for a wide variety of technologies including data encryption

and encryption key management. Because NIST uses an open and professional

process to establish standards, the private sector usually adopts NIST standards

for commercial use. NIST is one of the most trusted sources for technology

standards. You should always look for an encryption and key management

solution that is NIST-certified.

The highest standard for encryption key management is

the Federal Information Processing Standard (FIPS)

issued by NIST. A key management hardware security

module (HSM) with a FIPS 140-2 certification will offer

the highest level of compliance for your company.

ENCRYPTION CERTIFICATIONS

KEY MANAGEMENT CERTIFICATIONS

Established by NIST as the highest standard for

encryption, the most widely accepted cryptographic

standard is the Advanced Encryption Standard (AES).

AES supports nine modes of encryption, and NIST

defines three key sizes for encryption: 128-bit, 192-bit,

and 256-bit keys.

MEET COMPLIANCE REQUIREMENTS

8

Payment Card Industry Data Security Standards (PCI DSS)

If you take or process credit card information, you fall under PCI DSS standards. This

means that you must encrypt credit card information when it is at rest or in motion

and protect encryption keys in accordance with Section 3. You also must implement

encryption key management that uses proper dual control and separation of duties.

PCI DSS also requires periodic encryption key rotation.

$

Click Here to Read the Blog:

Meet PCI-DSS &

HIPAA/HITECH with Key

Management for SQL Server

Data security compliance regulations exist in order to protect personal and sensitive

information that businesses handle on a regular basis. Cyber crime and identity theft

are on the rise in today’s electronic world, and these regulations are designed to

help protect consumers against these threats.

Currently, the network of compliance regulations is fragmented across multiple

regulating organizations. Some of them are government based and some are private

industry based. Common regulations that all organizations are likely to run into are:

9

Gramm-Leach-Bliley Act and Federal Financial Institutions

Examination Council (GLBA and FFIEC)

The Gramm-Leach-Bliley Act and Federal Financial Institutions Examination Council

regulate data security in the financial sector. Under these regulations the financial

industry is defined broadly and certainly includes banks, but also covers credit

reporting agencies and other financial institutions. FFIEC is tasked with conducting

audits and making sure banks line up with regulations, which have a strong focus on

protecting consumer information. One statement they make in their documentation is

that effective and proper key management based on industry standards is crucial.

Health Insurance Portability and Accountability Act / Health

Information Technology for Economic and Clinical Health Act

(HIPAA/HITECH)

If your company operates in the medical sector—which is any organization defined as

a covered entity within the HIPAA act—you fall under HIPAA/HITECH data security

regulations. The HITECH act of 2009 strengthened HIPAA regulations tremendously by

referring to NIST for encryption standards, best practices of encryption key

management, and the collection of system logs.

Although there is no mandate by HHS and HIPAA/HITECH that you must encrypt

patient information, there is a “back door” mandate that in the event of a data

breach, all covered entities must report the breach to HHS. The only safe harbor from

breach notification and potential fines is to be properly encrypting data.

$

10

Federal and State Laws

Currently 44 out of 50 states have data privacy regulations. Many organizations are

unaware of their own state’s data privacy laws, or assume those laws do not apply to

them, when in fact they almost always do.

Apart from the data security standards listed above, there is currently a proposed

federal privacy law working through congress. It is safe to assume that a new federal

data privacy law will be enacted soon.

Ultimately, regulations are becoming more stringent, not less. Fines and penalties are

getting steeper, not cheaper. And certifications are becoming more important, not

less important. Even more critical is the fact that these regulators recommend or

require that you use industry standard, NIST and FIPS 140-2 certified key

management and encryption. Without these credentials, your company may not be

compliant.

Sarbanes-Oxley (SOX)

Any publicly traded company in the United States falls under SOX regulations. There

has been quite an increase in the focus on data privacy by SOX auditors--particularly

encryption key management and system logging. From the beginning SOX auditors

have held IT departments to high standards in terms of best practices and proper

control of data. This increased focus on data protection has developed within the last

12 months or so. Several of our customers have told us they’ve been penalized for

their insufficient encryption key management strategy by SOX auditors.

✔

11

KEY MANAGEMENT FOR

EVERY PLATFORM

Key management is a necessary part of encryption and compliance, and you

should be able to use key management on every platform including multi-platform

environments. Some major platforms including Microsoft SQL Server 2008, SQL

Server 2008 R2, SQL Server 2012, and IBM i V7R1 support easy and automatic

encryption with the ability to use a third-party key manager. Encryption and key

management can also be enabled on Oracle, Linux, DB2, and Windows.

In this section we’ll discuss encryption key management on two popular operating

systems: Microsoft SQL Server 2008/20012 and IBM i.

12

ENCRYPTION KEY MANAGEMENT FOR

SQL SERVER 2008/2012

ORGANIZATIONS CONTINUE TO EXPERIENCE DAMAGING LOSSES DUE TO DATA BREACHES.

These losses include legal costs, costs to reimburse customers and employees, lost

stakeholder value, and reduction of goodwill. The estimate of these financial losses range

into the billions of dollars every year. This section highlights excerpts from the White Paper,

ENCRYPTION KEY MANAGEMENT FOR SQL SERVER 2008/2012, and outlines how Microsoft

provides for the encryption of sensitive data in its flagship SQL Server database system.

MICROSOFT SQL SERVER 2008/2012

EXTENSIBLE KEY MANAGEMENT

Recognizing the importance of proper key

management for data security, Microsoft

implemented extensible key management

(EKM) in SQL Server 2008. EKM is both a

new architecture for encryption key

management services, and a new interface

for third party key managers. While EKM

provides for local, on-server management of

encryption keys, Microsoft and third party

security professionals recommend the use of

external key management HSMs.

TRANSPARENT DATA ENCRYPTION

Transparent Data Encryption, or TDE, is a part of the

Microsoft SQL Server Extensible Key Management

system. When implemented, TDE encrypts the entire

database table space providing security for the entire

database. The key management HSM contains the

master key that protects the entire table. Many

Microsoft customers prefer the TDE approach to

protecting data for several reasons:

• It is easy to implement and does not require

modification of the application.

• They key that protects the database never leaves

the HSM, providing better security.

• The impact on performance is smaller than other

alternatives.

Using TDE with a key management HSM provides

customers with comprehensive data protection; it

matches the best practice recommendations of

security professionals and compliance auditors;

performance impacts are minimal; and it is the

easiest and least expensive solution to implement. Watch this video to learn how to set up TDE

& EKM on SQL Server in under 10 minutes!

13

ENCRYPTION KEY MANAGEMENT FOR

SQL SERVER 2008/2012

EXTENSIBLE KEY MANAGEMENT (EKM)

AND KEY MANAGER SECURE

CONNECTIONS WITH TLS Key management best practices require that

encryption keys be protected at all times and not be

exposed to loss as they move from the key server

HSM to the SQL Server application.

A good key manager should use authenticated and

secure Transport Layer Security (TLS)

communications and standard PKI methods to

insure that critical information is protected as it

moves to and from the key server. Your organization

can use existing PKI infrastructure to create the

necessary X509 certificate and private keys used to

protect TLS sessions, or you can use OpenSSL to

generate the necessary certificates and keys.

Regardless of the method you use to create the

certificates and keys, your key management HSM

should always protect encryption keys and sensitive

data as it moves between SQL Server and the HSM.

CELL LEVEL ENCRYPTION

Cell Level Encryption, or column

encryption, is also a part of the

Microsoft SQL Server Extensible Key

Management system. When

implemented, cell level encryption

encrypts a single column of a table.

Unlike TDE, the Microsoft developer

must implement cell level encryption in

their SQL statements. For Microsoft

customers and ISVs who have legacy

applications that perform encryption,

this may be the best way to implement

data protection in the SQL Server

database.

Watch the Webinar: Encryption & Key Management on SQL

Server to Learn:

• Principles and best practices for encryption and key management

• Using EKM & TDE to easily encrypt sensitive data on SQL Server

2008/2012

• Encryption strategies for all SQL Server platforms

• Performance impacts of encryption on SQL Server

• How to easily meet compliance requirements

14

ENCRYPTION KEY MANAGEMENT

FOR IBM i

END OF SUPPORT FOR V5R4

On September 30, 2013, IBM will end support for IBM i

V5R4. This decision will force their customers running

on V5R4 to upgrade to either V6R1 or V7R1. The most

notable difference between V6R1 and V7R1 is the new

FIELDPROC exit point capability offered exclusively in

V7R1. Short for field procedure, FIELDPROC allows a

user to identify all fields they wish to encrypt with a

third-party automatic AES encryption solution without

making application changes.

IBM i V7R1 and FIELDPROC

The newest version of the IBM i operating system,

V7R1, brings sophisticated new security tools from

IBM’s larger systems to mid-range markets. These new

features allow third-party companies such as

Townsend Security to offer NIST-certified automatic

AES encryption, so that you can now encrypt your

sensitive data without application changes.

Encryption key management used in conjunction with

FIELDPROC encryption enables IBM i customers to meet

compliance mandates such as PCI-DSS.

Encryption is only half of the solution. Without a

comprehensive encryption key management plan, an

encryption project is still weak and incomplete.

TOWNSEND SECURITY: DEDICATED TO DATA PRIVACY

15

Townsend Security has earned the trust of over 3,000 customers worldwide with our easy-

to-use, affordable, and comprehensive encryption and key management solutions. With over

20 years of experience in the data security industry, Townsend Security has helped some of

the largest enterprises meet their evolving compliance requirements (PCI DSS,

HIPAA/HITECH, and others) and mitigate the risk of data breaches and cyber-attacks.

Our encryption key management solutions are FIPS 140-2 certified, and our data in motion

and data at rest products are certified by NIST.

Townsend Security is committed to both our end-users and partner channel. We provide our

partners with Enterprise ready appliances with simplified distribution models that make it

easy for OEMs, ISVs, and System Integrators to be successful. Our team is dedicated to

providing training, back-end support, and marketing materials to your technical and sales

staff and remains accessible long after the training is complete.

Web: www.townsendsecurity.com

Email: [email protected]

Phone: (800) 357-1019 or (360) 359-4400

Twitter: @townsendsecure