ENCRYPTION
KEY MANAGEMENT
SIMPLIFIED
A BEGINNER’S
GUIDE TO
ENCRYPTION KEY
MANAGEMENT
IS THIS eBOOK RIGHT FOR ME?
Not sure if this is the right eBook for you? Check the following qualifications to
make sure this eBook will get you the right information:
YOUR COMPANY MUST MEET COMPLIANCE REGULATIONS
AND PASS DATA SECURITY AUDITS
YOU ARE STARTING AN ENCRYPTION PROJECT AND WANT
TO LEARN MORE ABOUT ENCRYPTION KEY MANAGEMENT
YOU ARE ALREADY ENCRYPTING BUT ARE NOT SURE IF
YOU ARE USING KEY MANAGEMENT BEST PRACTICES
CONTENTS
WHAT IS ENCRYPTION KEY MANAGEMENT?
/4
KEY MANAGEMENT BEST PRACTICES
/5
IMPORTANT CERTIFICATIONS
/7
MEET COMPLIANCE REQUIREMENTS
/8
KEY MANAGEMENT FOR EVERY PLATFORM
/11
ABOUT TOWNSEND SECURITY
/15
1
2
3
4
5
6
WHAT IS ENCRYPTION KEY
MANAGEMENT?
The most important part of a data encryption strategy is the protection of the
encryption keys you use. Encryption keys are the real secret that protects your data,
and key management is the special province of security companies who create
encryption key hardware security modules (HSMs) for this purpose. These systems
are a combination of hardware and software specifically designed to create and
manage encryption keys, and to restrict their use to authorized users and
applications. Key management HSMs also incorporate a variety of security
techniques to thwart unauthorized access, report on suspicious system activity, and
mirror critical information to backup servers for high availability.
WATCH THIS BRIEF VIDEO FEATUREING DATA PRIVACY
EXPERT PATRICK TOWNSEND TO FIND OUT IF YOU
SHOULD BE USING ENCRYPTION KEY MANAGEMENT
TO PROTECT YOUR DATA.
WHAT
IS
ENCRYPTION
KEY
KEY MANAGEMENT BEST PRACTICES
Because encryption key management is crucial to data protection the National
Institute of Standards and Technology (NIST) provides guidelines on best practices
for key management and a cryptographic module certification program.
The NIST Special Publication SP-800-57 provides recommendations for encryption
key management. Additionally, NIST Publishes standards for cryptographic systems
in the Federal Information Processing Standards 140-2 (FIPS 140-2). Key
Management vendors can have their solutions certified by NIST to the FIPS 140-2
standard, and this certification is required for Federal agencies.
These best practices are recognized by federal and industry standards as critical
steps to building a strong encryption and key management solution.
Dual Control means that no one person should be able to manage
your encryption keys. Creating, distributing, and defining access
controls should require at least two individuals working together to
accomplish the task.
Separation of Duties means that different people should control
different aspects of your key management strategy. This is the old
adage “don’t put your eggs in one basket.” The person who creates
and manages the keys should not have access to the data they
protect. And, the person with access to protected data, should not be
able to manage encryption keys.
Split Knowledge applies to the manual generation of encryption
keys, or at any point where encryption keys are available in the
clear. More than one person should be required to constitute or
re-constitute a key in this situation.
1
2
3
KEY MANAGEMENT BEST PRACTICES
WHAT ARE THE PRACTICAL IMPLICATIONS OF THESE
BEST PRACTICES AND CORE CONCEPTS?
The practical implications of these best practices fall to the system
administrators. On all major operating systems such as Linux,
Windows, and IBM i (AS/400) there is one individual who has the
authority to manage all processes and files on the system. This is
the Administrator on Windows, the root user on Linux and UNIX,
and the security officer on the IBM i platform. In fact, there are
usually multiple people who have this level of authority.
When there are so many authorized users and no protection of
keys, the data is at a very high risk. That’s why storing encryption
keys on the same system where the protected data resides violates
all of the core principles of data protection, and that’s why we are
seeing auditors and payment networks reject this approach.
Q
WHY IS INTEGRATED KEY MANAGEMENT A
BEST PRACTICE ‘RED FLAG’?
‘Integrated key management’ is a term of art that refers to storing an
encryption key on the same platform where the encrypted data is
stored. It is impossible to use key management best practices when
you are storing encryption keys with the encrypted data, and doing this
also makes it impossible to meet some compliance requirements such
as PCI-DSS Section 3. Dual control, separation of duties, and split
knowledge can only be achieved using an external key manager HSM.
IMPORTANT CERTIFICATIONS
The National Institute of Standards and Technology (NIST) issues non-military
government standards for a wide variety of technologies including data encryption
and encryption key management. Because NIST uses an open and professional
process to establish standards, the private sector usually adopts NIST standards
for commercial use. NIST is one of the most trusted sources for technology
standards. You should always look for an encryption and key management
solution that is NIST-certified.
The highest standard for encryption key management is
the Federal Information Processing Standard (FIPS)
issued by NIST. A key management hardware security
module (HSM) with a FIPS 140-2 certification will offer
the highest level of compliance for your company.
ENCRYPTION CERTIFICATIONS
KEY MANAGEMENT CERTIFICATIONS
Established by NIST as the highest standard for
encryption, the most widely accepted cryptographic
standard is the Advanced Encryption Standard (AES).
AES supports nine modes of encryption, and NIST
defines three key sizes for encryption: 128-bit, 192-bit,
and 256-bit keys.
MEET COMPLIANCE REQUIREMENTS
Payment Card Industry Data Security Standards (PCI DSS)
If you take or process credit card information, you fall under PCI DSS standards. This means that you must encrypt credit card information when it is at rest or in motion and protect encryption keys in accordance with Section 3. You also must implement encryption key management that uses proper dual control and separation of duties. PCI DSS also requires periodic encryption key rotation.
$
Click Here to Read the Blog:
Meet PCI-DSS &
HIPAA/HITECH with Key
Management for SQL Server
Data security compliance regulations exist in order to protect personal and sensitive
information that businesses handle on a regular basis. Cyber crime and identity theft
are on the rise in today’s electronic world, and these regulations are designed to
help protect consumers against these threats.
Currently, the network of compliance regulations is fragmented across multiple
regulating organizations. Some of them are government based and some are private
industry based. Common regulations that all organizations are likely to run into are:
Gramm-Leach-Bliley Act and Federal Financial Institutions
Examination Council (GLBA and FFIEC)
The Gramm-Leach-Bliley Act and Federal Financial Institutions Examination Council regulate data security in the financial sector. Under these regulations the financial industry is defined broadly and certainly includes banks, but also covers credit reporting agencies and other financial institutions. FFIEC is tasked with conducting audits and making sure banks line up with regulations, which have a strong focus on protecting consumer information. One statement they make in their documentation is that effective and proper key management based on industry standards is crucial.
Health Insurance Portability and Accountability Act / Health
Information Technology for Economic and Clinical Health Act
(HIPAA/HITECH)
If your company operates in the medical sector—which is any organization defined as a covered entity within the HIPAA act—you fall under HIPAA/HITECH data security regulations. The HITECH act of 2009 strengthened HIPAA regulations tremendously by referring to NIST for encryption standards, best practices of encryption key
management, and the collection of system logs.
Although there is no mandate by HHS and HIPAA/HITECH that you must encrypt patient information, there is a “back door” mandate that in the event of a data breach, all covered entities must report the breach to HHS. The only safe harbor from breach notification and potential fines is to be properly encrypting data.
Federal and State Laws
Currently 44 out of 50 states have data privacy regulations. Many organizations are unaware of their own state’s data privacy laws, or assume those laws do not apply to them, when in fact they almost always do.
Apart from the data security standards listed above, there is currently a proposed federal privacy law working through congress. It is safe to assume that a new federal data privacy law will be enacted soon.
Ultimately, regulations are becoming more stringent, not less. Fines and penalties are getting steeper, not cheaper. And certifications are becoming more important, not less important. Even more critical is the fact that these regulators recommend or require that you use industry standard, NIST and FIPS 140-2 certified key
management and encryption. Without these credentials, your company may not be compliant.
Sarbanes-Oxley (SOX)
Any publicly traded company in the United States falls under SOX regulations. There has been quite an increase in the focus on data privacy by SOX auditors--particularly encryption key management and system logging. From the beginning SOX auditors have held IT departments to high standards in terms of best practices and proper control of data. This increased focus on data protection has developed within the last 12 months or so. Several of our customers have told us they’ve been penalized for their insufficient encryption key management strategy by SOX auditors.
✔
KEY MANAGEMENT FOR
EVERY PLATFORM
Key management is a necessary part of encryption and compliance, and you
should be able to use key management on every platform including multi-platform
environments. Some major platforms including Microsoft SQL Server 2008, SQL
Server 2008 R2, SQL Server 2012, and IBM i V7R1 support easy and automatic
encryption with the ability to use a third-party key manager. Encryption and key
management can also be enabled on Oracle, Linux, DB2, and Windows.
In this section we’ll discuss encryption key management on two popular operating
systems: Microsoft SQL Server 2008/20012 and IBM i.
ENCRYPTION KEY MANAGEMENT FOR
SQL SERVER 2008/2012
ORGANIZATIONS CONTINUE TO EXPERIENCE DAMAGING LOSSES DUE TO DATA BREACHES.
These losses include legal costs, costs to reimburse customers and employees, lost
stakeholder value, and reduction of goodwill. The estimate of these financial losses range
into the billions of dollars every year. This section highlights excerpts from the White Paper,
ENCRYPTION KEY MANAGEMENT FOR SQL SERVER 2008/2012
, and outlines how Microsoft
provides for the encryption of sensitive data in its flagship SQL Server database system.
MICROSOFT SQL SERVER 2008/2012 EXTENSIBLE KEY MANAGEMENT
Recognizing the importance of proper key management for data security, Microsoft implemented extensible key management (EKM) in SQL Server 2008. EKM is both a new architecture for encryption key management services, and a new interface for third party key managers. While EKM provides for local, on-server management of encryption keys, Microsoft and third party security professionals recommend the use of external key management HSMs.
TRANSPARENT DATA ENCRYPTION
Transparent Data Encryption, or TDE, is a part of the Microsoft SQL Server Extensible Key Management system. When implemented, TDE encrypts the entire database table space providing security for the entire database. The key management HSM contains the master key that protects the entire table. Many Microsoft customers prefer the TDE approach to protecting data for several reasons:
• It is easy to implement and does not require modification of the application.
• They key that protects the database never leaves the HSM, providing better security.
• The impact on performance is smaller than other alternatives.
Using TDE with a key management HSM provides customers with comprehensive data protection; it matches the best practice recommendations of security professionals and compliance auditors; performance impacts are minimal; and it is the easiest and least expensive solution to implement.
Watch this video to learn how to set up TDE & EKM on SQL Server in under 10 minutes!
ENCRYPTION KEY MANAGEMENT FOR
SQL SERVER 2008/2012
EXTENSIBLE KEY MANAGEMENT (EKM)
AND KEY MANAGER SECURE
CONNECTIONS WITH TLS
Key management best practices require that encryption keys be protected at all times and not be exposed to loss as they move from the key server HSM to the SQL Server application.
A good key manager should use authenticated and secure Transport Layer Security (TLS) communications and standard PKI methods to insure that critical information is protected as it moves to and from the key server. Your organization can use existing PKI infrastructure to create the necessary X509 certificate and private keys used to protect TLS sessions, or you can use OpenSSL to generate the necessary certificates and keys.
Regardless of the method you use to create the certificates and keys, your key management HSM should always protect encryption keys and sensitive data as it moves between SQL Server and the HSM.
CELL LEVEL ENCRYPTION
Cell Level Encryption, or column encryption, is also a part of the Microsoft SQL Server Extensible Key
Management system. When
implemented, cell level encryption encrypts a single column of a table. Unlike TDE, the Microsoft developer must implement cell level encryption in their SQL statements. For Microsoft customers and ISVs who have legacy applications that perform encryption, this may be the best way to implement data protection in the SQL Server database.
Watch the Webinar: Encryption & Key Management on SQL
Server to Learn:
• Principles and best practices for encryption and key management • Using EKM & TDE to easily encrypt sensitive data on SQL Server
2008/2012
• Encryption strategies for all SQL Server platforms • Performance impacts of encryption on SQL Server • How to easily meet compliance requirements
ENCRYPTION KEY MANAGEMENT
FOR IBM i
END OF SUPPORT FOR V5R4
On September 30, 2013, IBM will end support for IBM i V5R4. This decision will force their customers running on V5R4 to upgrade to either V6R1 or V7R1. The most notable difference between V6R1 and V7R1 is the new FIELDPROC exit point capability offered exclusively in V7R1. Short for field procedure, FIELDPROC allows a user to identify all fields they wish to encrypt with a third-party automatic AES encryption solution without making application changes.
IBM i V7R1 and FIELDPROC
The newest version of the IBM i operating system, V7R1, brings sophisticated new security tools from IBM’s larger systems to mid-range markets. These new features allow third-party companies such as Townsend Security to offer NIST-certified automatic AES encryption, so that you can now encrypt your sensitive data without application changes.
Encryption key management used in conjunction with FIELDPROC encryption enables IBM i customers to meet compliance mandates such as PCI-DSS.
Encryption is only half of the solution. Without a comprehensive encryption key management plan, an encryption project is still weak and incomplete.
