Encryption Key Management for Microsoft SQL Server 2008/2014



Similar documents
ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

Key Management in the Multi-Platform Environment

Critical Steps to Encryption & Key Management in the Microsoft Azure Cloud

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Alliance Key Manager Solution Brief

Alliance Key Manager Cloud HSM Frequently Asked Questions

Securing Your Sensitive Data with EKM & TDE. on SQL Server 2008/2012

Alliance AES Key Management

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

THE KEY TO DATA SECURITY

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

With Eversync s cloud data tiering, the customer can tier data protection as follows:

IBM i Encryption in a Snap! Implement IBM FIELDPROC with a simple to use GUI and a few clicks of your mouse.

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Vormetric Encryption Architecture Overview

White Paper How Noah Mobile uses Microsoft Azure Core Services

Healthcare Compliance Solutions

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Alliance Key Manager A Solution Brief for Technical Implementers

BANKING SECURITY and COMPLIANCE

MySQL Security: Best Practices

Complying with PCI Data Security

SecureD Technical Overview

Keep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Healthcare Compliance Solutions

DRAFT Standard Statement Encryption

Alliance AES Encryption for IBM i Solution Brief

SecureAge SecureDs Data Breach Prevention Solution

Automatic Encryption With V7R1 Townsend Security

Key Management Best Practices

TOP SECRETS OF CLOUD SECURITY

BBM Protected Secure mobile

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story

SafeNet DataSecure vs. Native Oracle Encryption

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

CloudCheck Compliance Certification Program

The True Story of Data-At-Rest Encryption & the Cloud

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

University of Pittsburgh Security Assessment Questionnaire (v1.5)

BMC s Security Strategy for ITSM in the SaaS Environment

The Education Fellowship Finance Centralisation IT Security Strategy

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

Projectplace: A Secure Project Collaboration Solution

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

All Things Oracle Database Encryption

ACHIEVING HIPAA COMPLIANCE WITH POSTGRES PLUS CLOUD DATABASE

PROTECTING DATA IN MULTI-TENANT CLOUDS

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Innovations in Digital Signature. Rethinking Digital Signatures

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

The SparkWeave Private Cloud & Secure Collaboration Suite. Core Features

Microsoft SQL Server Integration Guide

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.

The SparkWeave Private Cloud & Secure Collaboration Suite. Core Features

Security Controls What Works. Southside Virginia Community College: Security Awareness

Privacy and Encryption in egovernment. Dewey Landrum Technical Architect CSO SLED West Sector CISSP August 11, 2008

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Oracle Database 11g: Security. What you will learn:

Security Overview Enterprise-Class Secure Mobile File Sharing

John Essner, CISO Office of Information Technology State of New Jersey

Cloud Security and Managing Use Risks

CONTENT OUTLINE. Background... 3 Cloud Security Instance Isolation: SecureGRC Application Security... 5

kamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR)

Compliance for the Road Ahead

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

Whitepaper: 7 Steps to Developing a Cloud Security Plan

White Paper. Keeping Your Private Data Secure

Transparent Data Encryption: New Technologies and Best Practices for Database Encryption

Oracle Database 11g: Security

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

penelope athena software SOFTWARE AS A SERVICE INFORMATION PACKAGE case management software

risk advisory TAX Finance & Accounting Dave Elliott, CIPP/G/C, CISSP, CISA Chip Zodrow Paul Rozek, CGEIT

CA DLP. Release Notes for Advanced Encryption. r12.0

PRIME IDENTITY MANAGEMENT CORE

Why self-signed certificates are much costlier and riskier than working with a trusted security vendor

Microsoft Azure. White Paper Security, Privacy, and Compliance in

How To Achieve Pca Compliance With Redhat Enterprise Linux

Vormetric and PCI Compliance in AWS A COALFIRE WHITE PAPER

Encryption Services

A Strategic Approach to Enterprise Key Management

SafeNet Securing Microsoft Solutions

Accelerating Insurance Legacy Modernization

Practical Storage Security With Key Management. Russ Fellows, Evaluator Group

HIPAA Privacy & Security White Paper

WHITEPAPER. Compliance: what it means for databases

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

custom hosting for how you do business

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Secure SSL, Fast SSL

RSA SecurID Two-factor Authentication

Business Continuity and Disaster Recovery Solutions in Government

Applying Cryptography as a Service to Mobile Applications

Transcription:

White Paper 0x8c1a3291 0x56de5791 0x450a0ad2 axd8c447ae 8820572 0x5f8a153d 0x19df c2fe97 0xd61b5228 0xf32 4856 0x3fe63453 0xa3bdff82 0x30e571cf 0x36e0045b 0xad22db6a 0x100daa87 0x48df 0x5ef8189b 0x255ba12 bdff8 0xf08cde96 Encryption Key Management for Microsoft SQL Server 2008/2014 ORGANIZATIONS CONTINUE TO EXPERIENCE DAMAGING LOSSES DUE to data breaches. These losses include legal costs, costs to reimburse customers and employees, lost stakeholder value, and reduction of goodwill. The estimate of these financial losses range into the billions of dollars every year. This paper discusses compliance regulations, standards for protecting data with encryption, and how Microsoft provides for the encryption of sensitive data in its flagship SQL Server database system. Townsend Security s Alliance Key Manager provides a cost effective, easy-to-deploy, and compliant solution for Microsoft customers whether their data is in the Cloud, VMware, or a traditional IT data center. www.townsendsecurity.com 724 Columbia Street NW, Suite 400 Olympia, WA 98501 360.359.4400 800.357.1019 fax 360.357.9047 www.townsendsecurity.com

Data Losses Mount Along with Financial Losses According to the Ponemon Institute s 2014 Cost of Data Breach Study: United States the average cost of a data breach increased from $188 to $201 per record, and the average cost to a company is $5.9 million per breach. Financial costs include the replacement of credit cards, the cost of credit monitoring services, and the legal costs required to defend the organization from consumer and shareholder lawsuits. Long term reputational costs can be even more severe. The costs of data breaches are rising and the frequency is rising, too. Mid-market companies face an additional existential risk. A survey conducted by the Ponemon Institute and sponsored by the law firm of Scott and Scott, shows that 74% of companies experienced a loss of customers after a breach, and 32% experienced a loss in share value. In a difficult economic environment a company may not survive the financial impacts of a data breach. Compliance Regulations & Asset Protection Drive Encryption Compliance regulations such as the Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act (GLBA), and state privacy laws force organizations to implement strong data protection controls including data encryption. In some cases regulations require the encryption of sensitive data, and in other cases encryption is strongly recommended. The only safe harbor from breach notification across all regulations is the use of strong encryption to protect sensitive data. While strong encryption is not the only data security effort needed to protect data, it is an essential component of any effective strategy. Encryption Key Management is Crucial to an Encryption Strategy The most important part of a data encryption strategy is the protection of the encryption keys you use. Encryption keys are the real secret that protects your data. Just as the key to your house is unique and can t be used anywhere else, the data encryption keys you use are unique and only known to your organization. Protecting these keys is the central challenge for a data encryption strategy. Protecting encryption keys from loss is the special province of security companies who create encryption key managers for this purpose. These systems are a combination of hardware and software specifically designed to create and manage encryption keys, and to restrict their use to authorized users and applications. Key managers also incorporate a variety of security techniques to thwart unauthorized access, report on suspicious system activity, and mirror critical information to backup servers for high availability. Alliance Key Manager from Townsend Security is a key management system that provides all of these services to organizations large and small. Key Management Standards and Best Practices Because encryption and key management is crucial to data protection, the National Institute of Standards and Technology (NIST) provides guidelines on best practices for key management, and a cryptographic module certification program. The NIST Special Publication SP-800-57 provides recommendations for encryption key management. Additionally, NIST publishes standards for cryptographic systems in the Federal Information Processing Standards 140-2 (FIPS 140-2). Key Management vendors can have their solutions certified by NIST to the FIPS 140-2 standard, and this certification is required for Federal agencies. Townsend Security s Alliance Key Manager solution has been through the FIPS 140-2 valiation process. While it is not possible to perform FIPS 140-2 validation in a cloud service provider context, Alliance Key Manager uses the same FIPS 140-2 compliant key management technology available in Townsend Security s HSM and in use by over 3,000 customers worldwide. Page 1

Security Architects and Auditors Look for NIST-Compliant Solutions Security professionals and compliance officers in private companies and organizations recognize the importance of FIPS 140-2 certification as an indicator of the quality of a key management solution, and insist on this certification from their vendors. Auditors also understand that proper encryption key management is beyond the technical scope of most organizations, and look for NIST standards and certification. Organizations that use non-standard or uncertified solutions are often subject to extra scrutiny around key management practices. Mid-market and smaller organizations are experiencing audit failures around their key management practices. Rectifying a key management audit failure can be an expensive and time consuming task. You can avoid this potential problem by deploying a key management solution that can withstand auditor scrutiny. From the PCI DSS: Strong Cryptography: Cryptography based on industrytested and accepted algorithms, along with strong key lengths and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or one way ). Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 for more information. Microsoft SQL Server 2008/2014 Extensible Key Management (EKM) Recognizing the importance of proper key management for data security, Microsoft implemented Extensible Key Management (EKM) in SQL Server 2008. EKM is both an architecture for encryption key management services, and a interface for third-party key managers such as Alliance Key Manager from Townsend Security. While EKM provides for local, on-server management of encryption keys, Microsoft and third party security professionals recommend the use of external key management solutions. Alliance Key Manager is designed for use with Microsoft SQL Server EKM as a hardware security module, VMware virtual machine, or in the cloud (AWS and Microsoft Azure). From Jefferson Wells on HIPAA compliance: When enabled, EKM can provide a common interface to third-party key management and HSM to encrypt the keys used for data encryption and to directly encrypt the data itself. Once registered with EKM, these modules can be used by SQL Server to leverage the extended functionality provided by the HSM. These solutions work seamlessly with SQL Server 2008/2012 databases and support enterprisewide, dedicated key management. This allows the key management function to be performed by a dedicated key management system instead of SQL Server. When implementing EKM, remember to: Store all keys separately from the data (SQL Server 2008/2012 supports the use of HSMs to provide the physical separation of keys from data) Transparent Data Encryption (TDE) Transparent Data Encryption, or TDE, is a part of the Microsoft SQL Server Extensible Key Management system. When implemented, TDE encrypts the entire database table space providing security for the entire database. The key management solution contains the master key that protects the entire table. Many Microsoft customers prefer the TDE approach to protecting data for several reasons: It is easy to implement and does not require modification of the application. The key that protects the database never leaves the key manager, providing better security. The impact on performance is smaller than other alternatives. The benefits of using Transparent Data Encryption with a key management solution are clear. Customers protect all of their data and rest assured that they did not miss important information; it matches the best practice recommendations of security professionals and compliance auditors; the performance degradation is minimal; and it is the easiest and least expensive solution to implement. In a white paper on SQL Server security Caturano and ParenteBeard recommend: key management is best handled through an EKM provider. An EKM provider can handle split key management by requiring multiple users to authenticate when performing administrative functions on the keys, such as changing permissions. To ensure segregation of duties, however, please bear in mind that the database owner and/or sysadmin should be independent of the EKM administrator. As another added control feature, EKM also separates the keys from the SQL Server application using the keys, so that keys are not stored with the data. Page 2

Cell Level Encryption Cell Level Encryption, or column encryption, is also a part of the Microsoft SQL Server Extensible Key Management system. When implemented, cell level encryption encrypts a single column of a table. Unlike TDE, the Microsoft developer must implement cell level encryption in their application code using SQL calls. For Microsoft customers and ISVs who have legacy applications that perform encryption, this may be the best way to implement data protection in the SQL Server database. The benefits of using encryption with a key management solution are clear. Customers protect their sensitive data from loss; the costs of breach notifications are minimized or eliminated; it matches the best practice recommendations of security professionals and compliance auditors; legal liability is minimized; and it is easy to implement in the SQL Server database. Alliance Key Manager for SQL Server Alliance Key Manager is a general purpose key management solution from Townsend Security that integrates naturally with Microsoft SQL Server. The solution is available as a hardware security module (HSM), cloud HSM, VMware virtual machine, or in the cloud (AWS or Microsoft Azure). The key manager creates, stores, and protects encryption keys used by SQL Server and provides the Separation of Duties and Dual Control required by the PCI Data Security Standard and other compliance regulations. In addition to providing key management services to SQL Server, Alliance Key Manager provides encryption keys for applications throughout the organization. The Key Connection software that accompanies Alliance Key Manager installs on the Windows Server running the SQL Server database to provide the connection between SQL Server and the key manager. Key Connection stores the configuration information, the list of available key servers, and information on the certificates used to protect the connection to the key manager. Key Connection is the EKM Provider registered to SQL Server by the database administrator to start encryption of the SQL Server database. A natural Windows install, licensing, and configuration interface makes it easy to deploy by system administrators. EKM and Key Manager Secure Connections with TLS Key management best practices require that encryption keys be protected at all times and not be exposed to loss as they move from the key manager to the SQL Server application. Alliance Key Manager uses authenticated and secure Transport Layer Security (TLS) version 1.2 communications to insure that critical information is protected as it moves to and from the key server. Alliance Key Manager uses standard PKI methods for TLS protection. Your organization can use existing PKI infrastructure to create the necessary X509 certificate and private keys used to protect TLS sessions, or you can use OpenSSL to generate the necessary certificates and keys. Regardless of the method you use to create the certificates and keys, Alliance Key Manager will always protect encryption keys and sensitive data as it moves between SQL Server and the key manager. Key Management Resilience Encryption key management systems are a part of an organization s critical infrastructure and must be able resilient to normal disruptions. Alliance Key Manager for SQL Server incorporates a number of features to increase resilience: Key server hardware uses dual, hot swappable, RAID protected disk drives to protect against disk failure (1U rackmount system) Alliance Key Manager mirrors all encryption keys in real time to a high availability key server Key Connection software on the Windows Server automatically fails over to one or more high availability key servers Key Connection software automatically restarts as a service in the event of an operating system interruption. Key Management Scalability Organizations often start small when implementing encryption and increase their use of encryption over time. Alliance Key Manager,can scale with your growing need to protect encryption keys across a wide variety of applications Page 3

and servers. You can start with Alliance Key Manager in the cloud and use it just with SQL Server, then graduate to multiple key servers or the 1U rackmount hardware security module (HSM). You can also mix physcial and virtual key servers in the same organization to support a distributed application environment or point solutions. Barriers to Adoption (Money, Time, Complexity) HITECH, FISMA, GLBA/FFIEC, DIACAP, SOX, and other regulatory compliance requirements. You can contact Townsend Security for an initial consultation at the following locations: Web: www.townsendsecurity.com Phone: (800) 357-1019 or (360) 359-4400 International: +1 360 359 4400 Email: info@townsendsecurity.com Twitter: @townsendsecure There are many barriers to the deployment of good data protection. Overpriced key management solutions; complex solutions that require a lot of time to deploy or expensive developer resources; expensive consulting services required by vendors; hard to deploy and install software; and a variety of other challenges slow down the adoption of good data protection. Townsend Security s Alliance Key Manager solution drives down these barriers that scales in price to your actual needs, is easy to install and configure, has been through a NIST and FIPS validation to keep you compliant, and works automatically with the Microsoft SQL Server database. You can centrally manage multiple key managers to reduce the cost of administration, and built-in key mirroring reduces the costs of backup and recovery procedures. Alliance Key Manager for Microsoft SQL Server Alliance Key Manager by Townsend Security is a FIPS 140-2 compliant key management solution that is available as a Hardware Security Module (HSM), Cloud HSM, VMware OVA, or in the cloud (AWS and Microsoft Azure). Additionally, the solution supports on-appliance encryption and decryption services so that encryption keys are always kept separate from the data they protect. Townsend Security offers a free developer license for their key manager as part of their Developer Program. Townsend Security Townsend Security creates data privacy solutions that help organizations meet evolving compliance requirements and mitigate the risk of data breaches and cyber-attacks. Over 3,000 companies worldwide trust Townsend Security s NIST and FIPS 140-2 compliant solutions to meet the encryption and key management requirements in PCI DSS, HIPAA/ Page 4

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information