Key Management in the Multi-Platform Environment



Similar documents
Encryption Key Management for Microsoft SQL Server 2008/2014

Critical Steps to Encryption & Key Management in the Microsoft Azure Cloud

Alliance Key Manager Cloud HSM Frequently Asked Questions

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Alliance Key Manager Solution Brief

Alliance AES Encryption for IBM i Solution Brief

Securing Your Sensitive Data with EKM & TDE. on SQL Server 2008/2012

Automatic Encryption With V7R1 Townsend Security

Alliance Key Manager A Solution Brief for Technical Implementers

How To Write An Ets Request For Proposal (Rfp)

Migrate AS 400 Applications to Linux

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

White Paper Server. SUSE Linux Enterprise Server 12 Modules

CS z/os Application Enhancements: Introduction to Advanced Encryption Standards (AES)

Migrate AS 400 Applications to Windows, UNIX or Linux

SafeNet DataSecure vs. Native Oracle Encryption

Rocket AS v6.3. Benefits of upgrading

With Eversync s cloud data tiering, the customer can tier data protection as follows:

All Things Oracle Database Encryption

Compliance for the Road Ahead

GiftCardXpress - Elavon Brief

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

2) Xen Hypervisor 3) UEC

Cloud and Data Center Security

Comprehensive Agentless Cloud Backup and Recovery Software for the Enterprise

BMC s Security Strategy for ITSM in the SaaS Environment

Deploying PGP Encryption and Compression for z/os Batch Data Protection to (FIPS-140) Compliance

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Real-Time Database Protection and. Overview IBM Corporation

Can I customize my identity management deployment without extensive coding and services?

GETTING STARTED GUIDE

Vormetric Encryption Architecture Overview

CA Workload Automation Agents for Mainframe-Hosted Implementations

Comprehensive Agentless Cloud Backup and Recovery Software for the Enterprise

data express DATA SHEET OVERVIEW

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Crittografia e Enterprise Key Management una sfida possibile da affrontare

IBM i25 Trends & Directions

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

IBM CICS Transaction Gateway for Multiplatforms, Version 7.0

DATA BACKUP & RESTORE

D50323GC20 Oracle Database 11g: Security Release 2

Microsoft SQL Server versus IBM DB2 Comparison Document (ver 1) A detailed Technical Comparison between Microsoft SQL Server and IBM DB2

The ActiveBatch Integrated Jobs Library: Extensions Job Steps. The ActiveBatch Integrated Jobs Library: SSIS Job

How To Protect Your Data From Harm

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Detecting a Hacking Attempt

White Paper How Noah Mobile uses Microsoft Azure Core Services

Cloud Computing and Big Data What Technical Writers Need to Know

ABC of Storage Security. M. Granata NetApp System Engineer

Oracle Business Intelligence Publisher. 1 Oracle Business Intelligence Publisher Certification. Certification Information 10g Release 3 (

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

Oracle Database 11g: Security Release 2

Building Applications Using Micro Focus COBOL

Advantage Database Server or Microsoft SQL Server which one is right for you?

Securing Data in Oracle Database 12c

Take full advantage of IBM s IDEs for end- to- end mobile development

DEVELOP ROBOTS DEVELOPROBOTS. We Innovate Your Business

FAMILY BROCHURE Sensitive data is everywhere. So are we.

MySQL Security: Best Practices

Key Management Best Practices

Migration and Developer Productivity Solutions Retargeting IT for Emerging Business Needs

Network Test Labs (NTL) Software Testing Services for igaming

REQUEST FOR INFORMATION FLORIDA AGENCY FOR STATE TECHNOLOGY CLOUD SERVICES AND SOLUTIONS RFI NO.:

SOLUTION BRIEF. Advanced ODBC and JDBC Access to Salesforce Data.

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

CA Workload Automation Agents Operating System, ERP, Database, Application Services and Web Services

Version Overview. Business value

Optimizing Protection and Security for IBM i

Controlling Remote Access to IBM i

Database Management System Choices. Introduction To Database Systems CSE 373 Spring 2013

Accessing Your Database with JMP 10 JMP Discovery Conference 2012 Brian Corcoran SAS Institute

CA XCOM Data Transport- Secure, Reliable File Transfer for Heterogeneous Environments

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Implementing efficient system i data integration within your SOA. The Right Time for Real-Time

Navigating Endpoint Encryption Technologies

Consolidating security across platforms with IBM System z

Daymark DPS Enterprise - Agentless Cloud Backup and Recovery Software

Securing Oracle E-Business Suite in the Cloud

Lecture 26 Enterprise Internet Computing 1. Enterprise computing 2. Enterprise Internet computing 3. Natures of enterprise computing 4.

DEPLOYMENT ROADMAP March 2015

Tips For Buying Cloud Infrastructure

The True Story of Data-At-Rest Encryption & the Cloud

PROGRESS DATADIRECT QA AND PERFORMANCE TESTING EXTENSIVE TESTING ENSURES DATA CONNECTIVITY THAT WORKS

Course Description for Operating Systems Hands-On (S&R Technology Lab)

Best practices for data migration.

Transcription:

White Paper 0x8c1a3291 0x56de5791 0x450a0ad2 axd8c447ae 8820572 0x5f8a153d 0x19df c2fe97 0xd61b5228 0xf32 4856 0x3fe63453 0xa3bdff82 0x30e571cf 0x36e0045b 0xad22db6a 0x100daa87 0x48df 0x5ef8189b 0x255ba12 bdff8 0xf08cde96 Key Management in the Multi-Platform Environment A Practical Guide to Choosing a Key Management Solution for Your Enterprise THIS WHITE PAPER discusses the challenges of deploying key management for encryption in business applications. The modern enterprise deploys a variety of server platforms, operating systems, and programming languages. A major barrier to deploying encryption has been the challenge of accessing encryption keys from these widely divergent environments. This paper will help define the key management needs of your enterprise, while defining the elements necessary to reduce the technical challenges and cost of deployment. www.townsendsecurity.com 724 Columbia Street NW, Suite 400 Olympia, WA 98501 360.359.4400 800.357.1019 fax 360.357.9047 www.townsendsecurity.com

Key Managers and Key Retrieval Encryption key management solutions have the primary goal of managing and protecting encryption keys, and making them available to authorized applications in a secure fashion. Key retrieval includes the process by which an application requests an encryption key from the key server, how the key is protected during the delivery of the key, and the format of the encryption key and policy information that is delivered. Key management solutions vary greatly in the complexity of the key retrieval process. The more complex the key retrieval interface, the greater the challenge for the enterprise IT team in deploying key retrieval in applications. Understanding this fact can help IT decision makers assess different vendor solutions and the likely costs of deploying a solution in their enterprise. KMIP Standard Key Management Industry standards are important for customers who want to achieve good security and a measure of independence from any one key management vendor. The OASIS Key Management Interoperability Protocol (KMIP) is an important key management industry standard that is supported by all professional key management systems. Payload Complexity When a key server provides an encryption key to a client application, it packages the encryption key with additional information about the key. This additional information may include usage policy (can the key be used for encryption, digital signature, and so forth), key expiration information, and key access information. The packaging of this information may be more complex or less complex. While more complex packaging can provide more flexibility, it can also reduce the ability of developers to use the contents of the package on new platforms. A complex package can represent a Rubik s cube challenge for developers slowing deployment and delaying projects. In some cases Enterprise customers have been forced to hire specialized consultants from the key management vendor just to implement the application interface for key retrieval. In this case the consulting costs can quickly exceed the costs of the key management solution itself. Sample Source Code Speeds Deployment One way that vendors can help their customers deploy key management solutions quickly is to provide sample source code and platform-specific programming guides. Sample source code will help a developer quickly understand how to implement the key retrieval solution in your applications, and understand the best practices for programming to the vendor s interface. Sample source code also provides the developer an easy means of validating the implementation. If the sample code is adequate, it can be compiled and demonstrate successful key retrieval in a very short period of time. When a vendor provides sample source they are also making a statement about the ease of use of their product. Sample source code provides a road map for the developer and shows the simplicity (or complexity) of the implementation. This gives IT professionals a good yardstick to determine the actual cost of the implementation. Key Retrieval From Windows Applications The windows platform can represent the biggest challenge from a key retrieval perspective. There are many programming languages on the platform, and many versions of the windows operating system. At a minimum the following language environments should be supported for key retrieval: C and C++ C# (C Sharp) Java This wide array of languages presents a daunting challenge to a key management vendor. A well thought- out strategy is needed to be sure that encryption keys can be retrieved into all of these environments. Since Microsoft has clearly defined the.net platform as their strategic development platform, the key management vendor should provide a.net assembly as a core platform for key retrieval. The windows developer will be able to incorporate the assembly into any of the modern Microsoft languages. In addition to support for the newer.net assembly, a key management vendor should also support the traditional Page 1

Dynamic Link Library (DLL). DLLs are used in older Microsoft and third party languages. There are many thousands of legacy applications that use this older approach to application development, and support for this approach is crucial for success on the Microsoft windows platform. The many versions of Microsoft windows can also present a challenge to the key management vendor. Typically the enterprise customer will run a variety of third party solutions which require different version of the windows server and PC operating systems. It is not uncommon to see applications running on Windows NT or even earlier versions of the windows operating system. Minimally, you should see support for the following Microsoft platforms: Windows 2003 Windows 2008 Windows 2008 R2 Windows Vista Windows 2012 Windows 2012 R2 Key Retrieval From Microsoft SQL Server Recognizing the importance of proper key management for data security, Microsoft implemented Extensible Key Management (EKM) in SQL Server 2008. Available in SQL Server 2008-2014 Enterprise Edition and higher, EKM is both an architecture for encryption key management services, as well as an interface for third-party encryption key managers (both Hardware Security Modules (HSMs) and virtual appliances in the cloud). While EKM provides for local, on-server management of encryption keys, Microsoft and third-party security professionals recommend the use of external key management. Along with EKM in SQL Server 2008/2012/2014, Microsoft provides two options to users for encryption Transparent Data Encryption (TDE) and Cell Level Encryption. It is essential for any encryption key manager to support both of these encryption options. For users of non-ekm versions of SQL Server, your key management vendor should be able to support and provide sample code your programming environment. Key Retrieval From Oracle Database 10g/11g Oracle database uses can choose from a rich set of programming languages including Java,.NET languages, and Oracle s own PL/SQL language. Oracle provides the DBMS_CRYPTO library for applications that use PL/SQL. Other languages also support AES encryption for data at rest. For Oracle 11g Enterprise customers with the Advanced Security module, Oracle provides for encryption key management through the Oracle Wallet application. For database customers without Enterprise Edition and Advanced Security, key management vendors provide software libraries that can provide for key retrieval and use with Oracle DBMS_CRYPTO or the native language encryption support. For Oracle 11g customers at Enterprise Edition with Advanced Security, customers can use the Transparent Data Encryption (TDE) option with software provided by key management vendors. Key Retrieval From MySQL Oracle s MySQL database is a popular open source database in use in a large number of Linux and Windows environments. MySQL customers use a variety of development languages for accessing MySQL data including Java,.NET languages, Perl, PHP, Ruby, and others. MySQL customers can use the native development language support for encryption, and use a vendor s key management solution for key management and key retrieval. Your key management vendor should be able to support your development language environment and provide you with sample application code. Key Retrieval From Linux Applications There are a variety of languages used for applications on the Linux platform. Java, C and C++, Perl, and PHP are some of the popular languages. Java is a special case and is covered in more detail below. In spite of the number of languages available on Linux, the job of providing key retrieval support is a bit easier for the key management vendor. Linux programming languages support shared libraries, and the key management vendor should provide this type of support for key retrieval. Key Retrieval From IBM i DB2 The IBM i (AS/400, iseries, System i) server platform is found in most enterprise environments providing support for back office applications. The programming languages used on this platform include RPG and COBOL, with the large majority of applications built using the RPG language. Encryption key retrieval should support both of these languages. Page 2

An effective way to provide key retrieval support on the IBM i platform is by using service programs. Service programs are very similar to shared libraries and Dynamic Link Libraries (DLLs). They can be easily added to most RPG and COBOL applications. The key management vendor should provide key retrieval support using a service program so that the IBM i developer can use it with any IBM i application programming language. In the latest versions of the IBM i operating system (V7R1 and V7R2) IBM provides a DB2 automatic encryption facility named FIELDPROC (Field Procedures). This facility allows IBM i customers and vendors to provide encryption and key retrieval software to automatically encrypt one or more columns in the DB2 database without application changes. Your IBM i software vendor should provide you with the encryption software and the key manager needed to protect data. Key Retrieval From IBM DB2 For non-ibm i platforms IBM s DB2 database is available for Windows and Linux platforms. IBM customers use a variety of development languages for accessing DB2 data including Java,.NET languages, and others. DB2 customers can use the native development language support for encryption, and use a vendor s key management solution for key management and key retrieval. Your key management vendor should be able to support your development language environment and provide you with sample application code help you get started. Key Retrieval From IBM z The IBM z (Mainframe, z/os, OS/390) platform runs a variety of operating systems and supports a variety of programming languages. Most enterprise customers run the z/os operating system and use Cobol for their back office applications. Key retrieval support for this environment is crucial for the enterprise customer. However, there are often applications written in other languages such as PL/I and Assembler. The key management vendor should provide support for key retrieval both as a Dynamic Link Library and as an object module. It is especially helpful to the mainframe developer to have sample Cobol source code as a guide for implementing key retrieval via a DLL interface. The sample code will help the developer understand the DLL architecture for key retrieval, and provide a quick method to validate key retrieval in the more complex z/os environment. Key Retrieval From Java The Java language is popular because applications written in this language can be deployed on a wide variety of hardware platforms and operating systems. Key management vendors have two different approaches to key retrieval from the Java language: standard Java, or Java Native Interface (JNI). Standard Java access provides an interface that is fully implemented in the Java language. The JNI interface links the Java language to other language objects such as DLLs and shared Libraries. Java developers prefer standard Java solutions because they are simpler to install and use than JNI interfaces. If the key retrieval interface involves complex packaging of the key information, the key management vendor often has no choice but to use the JNI interface. Simpler packaging allows for the use of the standard Java interface without the use of other language objects. Java can present some challenges when implementing secure key retrieval using the SSL/TLS protocol. Java SSL/ TLS is complex and involves the use of Java Key stores for certificate management. Be sure your key management vendor can provide you with sample Java source that demonstrates secure key retrieval. Key Management in the Cloud Public and private organizations want to take advantage of cloud-based solutions to reduce costs and improve business performance. Organizations should understand that the ultimate responsibility for the security of their data remains with them. While the new key management services offered by some cloud providers will help some customers better protect their sensitive data in their clouds, it will not meet minimum standards and security requirements for many organizations, and it will lock customers and partners into a specific cloud platform. Selecting a key management system is the most important part of a cloud encryption strategy. Summary Deploying encryption and key management across the enterprise involves work on the part of application developers on each enterprise computing platform. This work can be easier or harder depending on the key management vendor s dedication to appropriate implementations on each platform, ease of use of the key retrieval interface, and the availability of sample Page 3

source code. Solutions which are difficult to deploy in business applications raise the costs of encryption and key management. In some cases implementation can cost more than the initial key management solution. Townsend Security Townsend Security creates data privacy solutions that help organizations meet evolving compliance requirements and mitigate the risk of data breaches and cyber-attacks. Over 3,000 companies worldwide trust Townsend Security s NIST and FIPS 140-2 compliant solutions to meet the encryption and key management requirements in PCI DSS, HIPAA/ HITECH, FISMA, GLBA/FFIEC, SOX, and other regulatory compliance requirements. You can contact Townsend Security for an initial consultation at the following locations: Web: www.townsendsecurity.com Phone: (800) 357-1019 or (360) 359-4400 International: +1 360 359 4400 Email: info@townsendsecurity.com Twitter: @townsendsecure Page 3

Key Management Vendor Checklist 10 questions to ask your key management vendor 1) How would you describe the encryption key payload as retrieved from the key server? Is it simple or complex? 2) Is there a common key retrieval application interface on all platforms? What are the differences? 3) What platforms do you support for key retrieval? (Note any gaps in platform coverage for your company) 4) Do you provide working sample code for the platforms I need? (Windows, Linux, IBM i, IBM z) 5) Do you have a.net Assembly for use with Windows applications? 6) Do you provide an IBM i service program for RPG and Cobol applications? 7) Do you have a Java key retrieval class and examples? Is it standard Java or JNI? 8) Are there additional end-point licensing fees? 9) Can you run your key management solution directly in the Microsoft and Amazon clouds? 10) Does the key management solution run as a native VMware virtual machine? Once you have the answer to the above questions, it should be easier to choose the right key management vendor for your enterprise. if you have any questions not covered here, we would be happy to help you find the answers. Give us a call for a more complete needs assessment. 2012 Townsend Security Page 4

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information