Securing Your Sensitive Data with EKM & TDE on SQL Server 2008/2012
About The Speaker Founder & CEO of Townsend Security Leading data security expert 30 years IT industry experience
Introduction Organizations of all sizes are under multiple compliance regulations Encryption is perceived to be the hardest part of compliance Key management is perceived to be the hardest part of encryption
Session Roadmap Compliance and Standards Key Management Critical for Compliance Microsoft EKM Architecture EKM Supported Platforms Transparent Data Encryption Cell Level Encryption
Session Roadmap (cont.) Performance Considerations Should I upgrade? The Business Case Migrating to EKM with Key Management How about SharePoint and Dynamics Encryption?
PCI DSS Credit Card Payments HIPAA / HITECH Act Medical GLBA / FFIEC Banking and Finance State Privacy (proposed Federal)
Compliance and Standards (Cont.) FISMA Federal Govt. FERPA Educational Institutions Federal Trade Commission Consumer Fraud
Where Do Regulations Come From? National Institute of Standards and Technology (NIST) International Standards Organization ISO American National Standards Institute ANSI IEEE 1619.3 Key Management for Storage
What are the Standards and Certifications? AES encryption standard is from NIST AES Validation Cryptographic module certification for key management is from NIST FIPS 140-2 RSA and ECC cryptographic module certification is from NIST RSA and ECC validation FIPS 140-2 certification
Key Management: Critical for Compliance Dual Control & Separation of Duties why do they matter? Not new concepts, very common in financial operations
Dual Control Two or more people authenticate to perform ONE operation Example: Two signatures required on checks Key Management: Two or more people must authenticate
Separation of Duties Different people perform different operations Example: Different person prints the checks than signs them Key Management: Different people manage encryption keys than manage databases Locally stored keys result in audit failures
SQL Server EKM Capabilities Extensible Key Management starting with SQL Server 2008 Transparent Data Encryption (TDE) Cell Level Encryption HSM hosted keys Symmetric and Asymmetric Encryption
EKM Supported Platforms SQL Server 2008 Enterprise Edition or higher SQL Server 2008 R2 Enterprise Edition or higher SQL Server 2012 Enterprise Edition or higher SQL Server Developer and Evaluation Editions
Non EKM Platforms EKM not supported on: SQL Server 2000 SQL Server 2005 SQL Server 2008/2012 Express Edition SQL Server 2008/2012 Standard Edition SQL Server 2008/2012 Web Edition
SQL Server EKM Architecture SQL Server with EKM support EKM Provider software (vendor provided) Key manager HSM
Transparent Data Encryption (TDE) Entire table space is encrypted Temporary space and logs are encrypted Symmetric key is protected by Asymmetric key on key manager Encryption key protected by the HSM
Transparent Data Encryption (TDE) Symmetric key is unlocked during SQL Server start SQL Server performs all encryption tasks (not an HSM task)
EKM TDE with HSM example create cryptographic provider KeyConnection from file = 'C:\Program Files\Townsend Security\Key Connection for SQL Server\bin\EkmProvider.dll';
EKM TDE with HSM example use master; create asymmetric key rsa_key from provider KeyConnection with provider_key_name = 'RSA- KEY', creation_disposition = open_existing;
EKM TDE with HSM example use mydatabase; create database encryption key with algorithm = AES_256 encryption by server asymmetric key rsa_key;
EKM TDE with HSM example alter database mydatabase set encryption on;
Migrating EKM TDE encryption to an HSM strategy Without a key server HSM, SQL Server data encryption key is protected by key encryption key stored on the server Migrating to HSM protection is easy just two or three commands
Cell Level Encryption Only selected cells (columns) are encrypted Requires changes to SQL statements EKM Provider called for each encryption request Symmetric keys are retrieved from key manager HSM as needed EKM Provider performs encryption tasks
EKM Cell Level HSM example create cryptographic provider KeyConnection from file = 'C:\Program Files\Townsend Security\Key Connection for SQL Server\bin\EkmProvider.dll';
EKM Cell Level HSM example select provider_id from sys.dm_cryptographic_provider_properties where friendly_name = 'Key Connection for SQL Server';
EKM Cell Level HSM example select * from sys.dm_cryptographic_provider_keys(provider_id);
EKM with HSM example create symmetric key my_key from provider KeyConnection with provider_key_name = 'KEY01-128', creation_disposition = open_existing;
EKM with HSM example select encryptbykey(key_guid('my_key'), 'Hello World'); select decryptbykey(some_column) from some_table; insert into my_table values (encryptbykey(key_guid('my_key'), 'Hello World', 1, 'Townsend Security'));
Performance considerations TDE works best on small and mid-sized databases TDE imposes about 1.5% to 2% performance impact Backups may take longer with TDE due to low compression
Performance considerations Cell Level Encryption is best for large databases EKM Provider can help with Cell Level encryption performance
Upgrade for EKM? The Business Case Cost/Benefit analysis is important in upgrade scenarios Most companies view encryption as risk mitigation ROI is not appropriate TDE is low impact from a maintenance point of view
SharePoint Encryption? SharePoint 2010 supports SQL Server TDE
Dynamics CRM Encryption? Microsoft Dynamics CRM applications with SQL Server TDE
Dynamics CRM Encryption What Microsoft says about Dynamics CRM 4.0 with TDE encryption: For business scenarios that require a level of protection for the entire database at rest, consider enabling TDE, which test results confirm will have a minimal effect on the performance of existing applications.
Thank You Conclusion