Securing Your Sensitive Data
with EKM & TDE
About The Speaker
• Founder & CEO of Townsend Security • Leading data security expert
Introduction
• Organizations of all sizes are under multiple
compliance regulations
• Encryption is perceived to be the hardest part
of compliance
• Key management is perceived to be the
hardest part of encryption
Session Roadmap
• Compliance and Standards
• Key Management Critical for Compliance • Microsoft EKM Architecture
• EKM Supported Platforms
• Transparent Data Encryption • Cell Level Encryption
Session Roadmap (cont.)
• Performance Considerations
• Should I upgrade? The Business Case
• Migrating to EKM with Key Management
• How about SharePoint and Dynamics
• PCI DSS – Credit Card Payments
• HIPAA / HITECH Act – Medical
• GLBA / FFIEC – Banking and Finance
• State Privacy (proposed Federal)
Compliance and Standards (Cont.)
• FISMA – Federal Govt. • FERPA – Educational
Institutions
• Federal Trade
Commission – Consumer
Where Do Regulations Come From?
• National Institute of Standards and Technology (NIST)
• International Standards Organization – ISO • American National Standards Institute – ANSI • IEEE 1619.3 – Key Management for Storage
What are the Standards and
Certifications?
AES encryption standard is from NIST › AES Validation
Cryptographic module certification for key management is from NIST
› FIPS 140-2
RSA and ECC cryptographic module certification is from NIST
› RSA and ECC validation › FIPS 140-2 certification
Key Management:
Critical for Compliance
• Dual Control & Separation of Duties – why do they matter? • Not new concepts, very common in financial operations
Dual Control
• Two or more people authenticate to perform ONE operation
– Example: Two signatures required on checks
Separation of Duties
• Different people perform different operations
– Example: Different person prints the checks than signs them
– Key Management: Different people manage encryption keys than manage databases
SQL Server EKM Capabilities
• Extensible Key Management starting with SQL Server 2008
• Transparent Data Encryption (TDE) • Cell Level Encryption
• HSM hosted keys
EKM Supported Platforms
• SQL Server 2008 Enterprise Edition or higher
• SQL Server 2008 R2 Enterprise Edition or higher • SQL Server 2012 Enterprise Edition or higher
Non EKM Platforms
• EKM not supported on:
– SQL Server 2000 – SQL Server 2005
– SQL Server 2008/2012 Express Edition – SQL Server 2008/2012 Standard Edition – SQL Server 2008/2012 Web Edition
SQL Server EKM Architecture
• SQL Server with EKM support
• EKM Provider
software (vendor provided)
Transparent Data Encryption (TDE)
• Entire table space is encrypted
• Temporary space and logs are encrypted
• Symmetric key is protected by Asymmetric
key on key manager
Transparent Data Encryption (TDE)
• Symmetric key is unlocked during SQL
Server start
• SQL Server performs all encryption tasks
(not an HSM task)
EKM TDE with HSM example
create cryptographic provider KeyConnection from file = 'C:\Program Files\Townsend Security\Key
EKM TDE with HSM example
use master;
create asymmetric key rsa_key from provider
KeyConnection with provider_key_name = 'RSA-KEY', creation_disposition = open_existing;
EKM TDE with HSM example
use mydatabase;
create database encryption key with algorithm = AES_256 encryption by server asymmetric key
EKM TDE with HSM example
Migrating EKM TDE encryption to
an HSM strategy
• Without a key server HSM, SQL Server data encryption key is
protected by key encryption key stored on the server
• Migrating to HSM protection is easy – just two or three commands
Cell Level Encryption
• Only selected cells (columns) are encrypted • Requires changes to SQL statements
• EKM Provider called for each encryption request • Symmetric keys are retrieved from key manager
HSM as needed
EKM Cell Level HSM example
create cryptographic provider KeyConnection from file = 'C:\Program Files\Townsend Security\Key
EKM Cell Level HSM example
select provider_id from
sys.dm_cryptographic_provider_properties where friendly_name = 'Key Connection for SQL Server';
EKM Cell Level HSM example
select * from
EKM with HSM example
create symmetric key my_key from provider
KeyConnection with provider_key_name = 'KEY01-128', creation_disposition = open_existing;
EKM with HSM example
select encryptbykey(key_guid('my_key'), 'Hello World'); select decryptbykey(some_column) from some_table; insert into my_table values
(encryptbykey(key_guid('my_key'), 'Hello World', 1, 'Townsend Security'));
Performance considerations
• TDE works best on small and mid-sized
databases
• TDE imposes about 1.5% to 2%
performance impact
• Backups may take longer with TDE due to
low compression
Performance considerations
• Cell Level Encryption is best for large
databases
• EKM Provider can help with Cell Level
encryption performance
Upgrade for EKM?
The Business Case
• Cost/Benefit analysis is important in upgrade scenarios
• Most companies view encryption as risk mitigation – ROI is not appropriate
SharePoint Encryption?
• SharePoint 2010 supports
SQL Server TDE
Dynamics CRM Encryption?
• Microsoft Dynamics CRM
applications with SQL Server TDE
Dynamics CRM Encryption
• What
Microsoft says about Dynamics CRM
4.0 with TDE encryption:
“For business scenarios that require a level of protection for the entire database at rest, consider
enabling TDE, which test results confirm will have a minimal effect on the performance of existing
