ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

Transcription

1 ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

2 IS THIS ebook RIGHT FOR ME? Not sure if this is the right ebook for you? Check the following qualifications to make sure this ebook will get you the right information: YOUR COMPANY MUST MEET COMPLIANCE REGULATIONS AND PASS DATA SECURITY AUDITS YOU ARE STARTING AN ENCRYPTION PROJECT AND WANT TO LEARN MORE ABOUT ENCRYPTION KEY MANAGEMENT YOU ARE ALREADY ENCRYPTING BUT ARE NOT SURE IF YOU ARE USING KEY MANAGEMENT BEST PRACTICES 2

3 CONTENTS 1 WHAT IS ENCRYPTION KEY MANAGEMENT? /4 2 KEY MANAGEMENT BEST PRACTICES /5 3 IMPORTANT CERTIFICATIONS /7 4 MEET COMPLIANCE REQUIREMENTS /8 5 KEY MANAGEMENT FOR EVERY PLATFORM /11 6 ABOUT TOWNSEND SECURITY /15 3

4 WHAT IS ENCRYPTION KEY MANAGEMENT? The most important part of a data encryption strategy is the protection of the encryption keys you use. Encryption keys are the real secret that protects your data, and key management is the special province of security companies who create encryption key hardware security modules (HSMs) for this purpose. These systems are a combination of hardware and software specifically designed to create and manage encryption keys, and to restrict their use to authorized users and applications. Key management HSMs also incorporate a variety of security techniques to thwart unauthorized access, report on suspicious system activity, and mirror critical information to backup servers for high availability. WHAT IS ENCRYPTION KEY MANAGEMENT? WATCH THIS BRIEF VIDEO FEATUREING DATA PRIVACY EXPERT PATRICK TOWNSEND TO FIND OUT IF YOU SHOULD BE USING ENCRYPTION KEY MANAGEMENT TO PROTECT YOUR DATA. 4

5 KEY MANAGEMENT BEST PRACTICES Because encryption key management is crucial to data protection the National Institute of Standards and Technology (NIST) provides guidelines on best practices for key management and a cryptographic module certification program. The NIST Special Publication SP provides recommendations for encryption key management. Additionally, NIST Publishes standards for cryptographic systems in the Federal Information Processing Standards (FIPS 140-2). Key Management vendors can have their solutions certified by NIST to the FIPS standard, and this certification is required for Federal agencies. These best practices are recognized by federal and industry standards as critical steps to building a strong encryption and key management solution Dual Control means that no one person should be able to manage your encryption keys. Creating, distributing, and defining access controls should require at least two individuals working together to accomplish the task. Separation of Duties means that different people should control different aspects of your key management strategy. This is the old adage don t put your eggs in one basket. The person who creates and manages the keys should not have access to the data they protect. And, the person with access to protected data, should not be able to manage encryption keys. Split Knowledge applies to the manual generation of encryption keys, or at any point where encryption keys are available in the clear. More than one person should be required to constitute or reconstitute a key in this situation. 5

6 KEY MANAGEMENT BEST PRACTICES Q WHY IS INTEGRATED KEY MANAGEMENT A BEST PRACTICE RED FLAG? Integrated key management is a term of art that refers to storing an encryption key on the same platform where the encrypted data is stored. It is impossible to use key management best practices when you are storing encryption keys with the encrypted data, and doing this also makes it impossible to meet some compliance requirements such as PCI-DSS Section 3. Dual control, separation of duties, and split knowledge can only be achieved using an external key manager HSM. Q WHAT ARE THE PRACTICAL IMPLICATIONS OF THESE BEST PRACTICES AND CORE CONCEPTS? The practical implications of these best practices fall to the system administrators. On all major operating systems such as Linux, Windows, and IBM i (AS/400) there is one individual who has the authority to manage all processes and files on the system. This is the Administrator on Windows, the root user on Linux and UNIX, and the security officer on the IBM i platform. In fact, there are usually multiple people who have this level of authority. When there are so many authorized users and no protection of keys, the data is at a very high risk. That s why storing encryption keys on the same system where the protected data resides violates all of the core principles of data protection, and that s why we are seeing auditors and payment networks reject this approach. 6

7 IMPORTANT CERTIFICATIONS The National Institute of Standards and Technology (NIST) issues non-military government standards for a wide variety of technologies including data encryption and encryption key management. Because NIST uses an open and professional process to establish standards, the private sector usually adopts NIST standards for commercial use. NIST is one of the most trusted sources for technology standards. You should always look for an encryption and key management solution that is NIST-certified. ENCRYPTION CERTIFICATIONS Established by NIST as the highest standard for encryption, the most widely accepted cryptographic standard is the Advanced Encryption Standard (AES). AES supports nine modes of encryption, and NIST defines three key sizes for encryption: 128-bit, 192-bit, and 256-bit keys. KEY MANAGEMENT CERTIFICATIONS The highest standard for encryption key management is the Federal Information Processing Standard (FIPS) issued by NIST. A key management hardware security module (HSM) with a FIPS certification will offer the highest level of compliance for your company. 7

8 MEET COMPLIANCE REQUIREMENTS Data security compliance regulations exist in order to protect personal and sensitive information that businesses handle on a regular basis. Cyber crime and identity theft are on the rise in today s electronic world, and these regulations are designed to help protect consumers against these threats. Currently, the network of compliance regulations is fragmented across multiple regulating organizations. Some of them are government based and some are private industry based. Common regulations that all organizations are likely to run into are: $ Payment Card Industry Data Security Standards (PCI DSS) If you take or process credit card information, you fall under PCI DSS standards. This means that you must encrypt credit card information when it is at rest or in motion and protect encryption keys in accordance with Section 3. You also must implement encryption key management that uses proper dual control and separation of duties. PCI DSS also requires periodic encryption key rotation. Click Here to Read the Blog: Meet PCI-DSS & HIPAA/HITECH with Key Management for SQL Server 8

9 Health Insurance Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH) If your company operates in the medical sector which is any organization defined as a covered entity within the HIPAA act you fall under HIPAA/HITECH data security regulations. The HITECH act of 2009 strengthened HIPAA regulations tremendously by referring to NIST for encryption standards, best practices of encryption key management, and the collection of system logs. Although there is no mandate by HHS and HIPAA/HITECH that you must encrypt patient information, there is a back door mandate that in the event of a data breach, all covered entities must report the breach to HHS. The only safe harbor from breach notification and potential fines is to be properly encrypting data. $ Gramm-Leach-Bliley Act and Federal Financial Institutions Examination Council (GLBA and FFIEC) The Gramm-Leach-Bliley Act and Federal Financial Institutions Examination Council regulate data security in the financial sector. Under these regulations the financial industry is defined broadly and certainly includes banks, but also covers credit reporting agencies and other financial institutions. FFIEC is tasked with conducting audits and making sure banks line up with regulations, which have a strong focus on protecting consumer information. One statement they make in their documentation is that effective and proper key management based on industry standards is crucial. 9

10 Sarbanes-Oxley (SOX) Any publicly traded company in the United States falls under SOX regulations. There has been quite an increase in the focus on data privacy by SOX auditors--particularly encryption key management and system logging. From the beginning SOX auditors have held IT departments to high standards in terms of best practices and proper control of data. This increased focus on data protection has developed within the last 12 months or so. Several of our customers have told us they ve been penalized for their insufficient encryption key management strategy by SOX auditors. Federal and State Laws Currently 44 out of 50 states have data privacy regulations. Many organizations are unaware of their own state s data privacy laws, or assume those laws do not apply to them, when in fact they almost always do. Apart from the data security standards listed above, there is currently a proposed federal privacy law working through congress. It is safe to assume that a new federal data privacy law will be enacted soon. Ultimately, regulations are becoming more stringent, not less. Fines and penalties are getting steeper, not cheaper. And certifications are becoming more important, not less important. Even more critical is the fact that these regulators recommend or require that you use industry standard, NIST and FIPS certified key management and encryption. Without these credentials, your company may not be compliant. 10

11 KEY MANAGEMENT FOR EVERY PLATFORM Key management is a necessary part of encryption and compliance, and you should be able to use key management on every platform including multi-platform environments. Some major platforms including Microsoft SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, and IBM i V7R1 support easy and automatic encryption with the ability to use a third-party key manager. Encryption and key management can also be enabled on Oracle, Linux, DB2, and Windows. In this section we ll discuss encryption key management on two popular operating systems: Microsoft SQL Server 2008/20012 and IBM i. 11

12 ENCRYPTION KEY MANAGEMENT FOR SQL SERVER 2008/2012 ORGANIZATIONS CONTINUE TO EXPERIENCE DAMAGING LOSSES DUE TO DATA BREACHES. These losses include legal costs, costs to reimburse customers and employees, lost stakeholder value, and reduction of goodwill. The estimate of these financial losses range into the billions of dollars every year. This section highlights excerpts from the White Paper, ENCRYPTION KEY MANAGEMENT FOR SQL SERVER 2008/2012, and outlines how Microsoft provides for the encryption of sensitive data in its flagship SQL Server database system. MICROSOFT SQL SERVER 2008/2012 EXTENSIBLE KEY MANAGEMENT Recognizing the importance of proper key management for data security, Microsoft implemented extensible key management (EKM) in SQL Server EKM is both a new architecture for encryption key management services, and a new interface for third party key managers. While EKM provides for local, on-server management of encryption keys, Microsoft and third party security professionals recommend the use of external key management HSMs. TRANSPARENT DATA ENCRYPTION Transparent Data Encryption, or TDE, is a part of the Microsoft SQL Server Extensible Key Management system. When implemented, TDE encrypts the entire database table space providing security for the entire database. The key management HSM contains the master key that protects the entire table. Many Microsoft customers prefer the TDE approach to protecting data for several reasons: It is easy to implement and does not require modification of the application. They key that protects the database never leaves the HSM, providing better security. The impact on performance is smaller than other alternatives. Watch this video to learn how to set up TDE & EKM on SQL Server in under 10 minutes! Using TDE with a key management HSM provides customers with comprehensive data protection; it matches the best practice recommendations of security professionals and compliance auditors; performance impacts are minimal; and it is the easiest and least expensive solution to implement. 12

13 ENCRYPTION KEY MANAGEMENT FOR SQL SERVER 2008/2012 EXTENSIBLE KEY MANAGEMENT (EKM) AND KEY MANAGER SECURE CONNECTIONS WITH TLS Key management best practices require that encryption keys be protected at all times and not be exposed to loss as they move from the key server HSM to the SQL Server application. A good key manager should use authenticated and secure Transport Layer Security (TLS) communications and standard PKI methods to insure that critical information is protected as it moves to and from the key server. Your organization can use existing PKI infrastructure to create the necessary X509 certificate and private keys used to protect TLS sessions, or you can use OpenSSL to generate the necessary certificates and keys. Regardless of the method you use to create the certificates and keys, your key management HSM should always protect encryption keys and sensitive data as it moves between SQL Server and the HSM. CELL LEVEL ENCRYPTION Cell Level Encryption, or column encryption, is also a part of the Microsoft SQL Server Extensible Key Management system. When implemented, cell level encryption encrypts a single column of a table. Unlike TDE, the Microsoft developer must implement cell level encryption in their SQL statements. For Microsoft customers and ISVs who have legacy applications that perform encryption, this may be the best way to implement data protection in the SQL Server database. Watch the Webinar: Encryption & Key Management on SQL Server to Learn: Principles and best practices for encryption and key management Using EKM & TDE to easily encrypt sensitive data on SQL Server 2008/2012 Encryption strategies for all SQL Server platforms Performance impacts of encryption on SQL Server How to easily meet compliance requirements 13

14 ENCRYPTION KEY MANAGEMENT FOR IBM i END OF SUPPORT FOR V5R4 On September 30, 2013, IBM will end support for IBM i V5R4. This decision will force their customers running on V5R4 to upgrade to either V6R1 or V7R1. The most notable difference between V6R1 and V7R1 is the new FIELDPROC exit point capability offered exclusively in V7R1. Short for field procedure, FIELDPROC allows a user to identify all fields they wish to encrypt with a third-party automatic AES encryption solution without making application changes. IBM i V7R1 and FIELDPROC The newest version of the IBM i operating system, V7R1, brings sophisticated new security tools from IBM s larger systems to mid-range markets. These new features allow third-party companies such as Townsend Security to offer NIST-certified automatic AES encryption, so that you can now encrypt your sensitive data without application changes. Encryption key management used in conjunction with FIELDPROC encryption enables IBM i customers to meet compliance mandates such as PCI-DSS. Encryption is only half of the solution. Without a comprehensive encryption key management plan, an encryption project is still weak and incomplete. 14

15 TOWNSEND SECURITY: DEDICATED TO DATA PRIVACY Townsend Security has earned the trust of over 3,000 customers worldwide with our easyto-use, affordable, and comprehensive encryption and key management solutions. With over 20 years of experience in the data security industry, Townsend Security has helped some of the largest enterprises meet their evolving compliance requirements (PCI DSS, HIPAA/HITECH, and others) and mitigate the risk of data breaches and cyber-attacks. Our encryption key management solutions are FIPS certified, and our data in motion and data at rest products are certified by NIST. Townsend Security is committed to both our end-users and partner channel. We provide our partners with Enterprise ready appliances with simplified distribution models that make it easy for OEMs, ISVs, and System Integrators to be successful. Our team is dedicated to providing training, back-end support, and marketing materials to your technical and sales staff and remains accessible long after the training is complete. Web: Phone: (800) or (360)