ENCRYPTION

KEY MANAGEMENT
SIMPLIFIED

A BEGINNER’S
GUIDE TO
ENCRYPTION KEY
MANAGEMENT
IS THIS eBOOK RIGHT FOR ME?
Not sure if this is the right eBook for you? Check the following qualifications to
make sure this eBook will get you the right information:

 YOUR COMPANY MUST MEET COMPLIANCE REGULATIONS

AND PASS DATA SECURITY AUDITS

 YOU ARE STARTING AN ENCRYPTION PROJECT AND WANT

TO LEARN MORE ABOUT ENCRYPTION KEY MANAGEMENT

 YOU ARE ALREADY ENCRYPTING BUT ARE NOT SURE IF

YOU ARE USING KEY MANAGEMENT BEST PRACTICES

2
 CONTENTS

1 WHAT IS ENCRYPTION KEY MANAGEMENT? /4

2 KEY MANAGEMENT BEST PRACTICES /5

3 IMPORTANT CERTIFICATIONS /7

4 MEET COMPLIANCE REQUIREMENTS /8

5 KEY MANAGEMENT FOR EVERY PLATFORM /11

6 ABOUT TOWNSEND SECURITY /15

3
 WHAT IS ENCRYPTION KEY
MANAGEMENT?
The most important part of a data encryption strategy is the protection of the
encryption keys you use. Encryption keys are the real secret that protects your data,
and key management is the special province of security companies who create
encryption key hardware security modules (HSMs) for this purpose. These systems
are a combination of hardware and software specifically designed to create and
manage encryption keys, and to restrict their use to authorized users and
applications. Key management HSMs also incorporate a variety of security
techniques to thwart unauthorized access, report on suspicious system activity, and
mirror critical information to backup servers for high availability.

WHAT
IS
ENCRYPTION
KEY
MANAGEMENT? WATCH THIS BRIEF VIDEO FEATUREING DATA PRIVACY
EXPERT PATRICK TOWNSEND TO FIND OUT IF YOU
SHOULD BE USING ENCRYPTION KEY MANAGEMENT
TO PROTECT YOUR DATA.

4
 KEY MANAGEMENT BEST PRACTICES
Because encryption key management is crucial to data protection the National
Institute of Standards and Technology (NIST) provides guidelines on best practices
for key management and a cryptographic module certification program.

The NIST Special Publication SP-800-57 provides recommendations for encryption

key management. Additionally, NIST Publishes standards for cryptographic systems
in the Federal Information Processing Standards 140-2 (FIPS 140-2). Key
Management vendors can have their solutions certified by NIST to the FIPS 140-2
standard, and this certification is required for Federal agencies.

These best practices are recognized by federal and industry standards as critical
steps to building a strong encryption and key management solution.

Dual Control means that no one person should be able to manage

1 your encryption keys. Creating, distributing, and defining access
controls should require at least two individuals working together to
accomplish the task.

Separation of Duties means that different people should control

different aspects of your key management strategy. This is the old
2 adage “don’t put your eggs in one basket.” The person who creates
and manages the keys should not have access to the data they
protect. And, the person with access to protected data, should not be
able to manage encryption keys.

Split Knowledge applies to the manual generation of encryption

3 keys, or at any point where encryption keys are available in the
clear. More than one person should be required to constitute or re-
constitute a key in this situation.

5
KEY MANAGEMENT BEST PRACTICES

Q
WHY IS INTEGRATED KEY MANAGEMENT A
BEST PRACTICE ‘RED FLAG’?

‘Integrated key management’ is a term of art that refers to storing an

encryption key on the same platform where the encrypted data is
stored. It is impossible to use key management best practices when
you are storing encryption keys with the encrypted data, and doing this
also makes it impossible to meet some compliance requirements such
as PCI-DSS Section 3. Dual control, separation of duties, and split
knowledge can only be achieved using an external key manager HSM.

Q
WHAT ARE THE PRACTICAL IMPLICATIONS OF THESE
BEST PRACTICES AND CORE CONCEPTS?

The practical implications of these best practices fall to the system

administrators. On all major operating systems such as Linux,
Windows, and IBM i (AS/400) there is one individual who has the
authority to manage all processes and files on the system. This is
the Administrator on Windows, the root user on Linux and UNIX,
and the security officer on the IBM i platform. In fact, there are
usually multiple people who have this level of authority.

When there are so many authorized users and no protection of

keys, the data is at a very high risk. That’s why storing encryption
keys on the same system where the protected data resides violates
all of the core principles of data protection, and that’s why we are
seeing auditors and payment networks reject this approach.

6
 IMPORTANT CERTIFICATIONS
The National Institute of Standards and Technology (NIST) issues non-military
government standards for a wide variety of technologies including data encryption
and encryption key management. Because NIST uses an open and professional
process to establish standards, the private sector usually adopts NIST standards
for commercial use. NIST is one of the most trusted sources for technology
standards. You should always look for an encryption and key management
solution that is NIST-certified.

ENCRYPTION CERTIFICATIONS
Established by NIST as the highest standard for
encryption, the most widely accepted cryptographic
standard is the Advanced Encryption Standard (AES).
AES supports nine modes of encryption, and NIST
defines three key sizes for encryption: 128-bit, 192-bit,
and 256-bit keys.

KEY MANAGEMENT CERTIFICATIONS

The highest standard for encryption key management is
the Federal Information Processing Standard (FIPS)
issued by NIST. A key management hardware security
module (HSM) with a FIPS 140-2 certification will offer
the highest level of compliance for your company.

7
 MEET COMPLIANCE REQUIREMENTS

Data security compliance regulations exist in order to protect personal and sensitive
information that businesses handle on a regular basis. Cyber crime and identity theft
are on the rise in today’s electronic world, and these regulations are designed to
help protect consumers against these threats.

Currently, the network of compliance regulations is fragmented across multiple

regulating organizations. Some of them are government based and some are private
industry based. Common regulations that all organizations are likely to run into are:

Payment Card Industry Data Security Standards (PCI DSS)

$ If you take or process credit card information, you fall under PCI DSS standards. This
means that you must encrypt credit card information when it is at rest or in motion
and protect encryption keys in accordance with Section 3. You also must implement
encryption key management that uses proper dual control and separation of duties.
PCI DSS also requires periodic encryption key rotation.

Click Here to Read the Blog:

Meet PCI-DSS &
HIPAA/HITECH with Key
Management for SQL Server

8
 Health Insurance Portability and Accountability Act / Health
Information Technology for Economic and Clinical Health Act
(HIPAA/HITECH)
If your company operates in the medical sector—which is any organization defined as
a covered entity within the HIPAA act—you fall under HIPAA/HITECH data security
regulations. The HITECH act of 2009 strengthened HIPAA regulations tremendously by
referring to NIST for encryption standards, best practices of encryption key
management, and the collection of system logs.

Although there is no mandate by HHS and HIPAA/HITECH that you must encrypt
patient information, there is a “back door” mandate that in the event of a data
breach, all covered entities must report the breach to HHS. The only safe harbor from
breach notification and potential fines is to be properly encrypting data.

Gramm-Leach-Bliley Act and Federal Financial Institutions

$ Examination Council (GLBA and FFIEC)
The Gramm-Leach-Bliley Act and Federal Financial Institutions Examination Council
regulate data security in the financial sector. Under these regulations the financial
industry is defined broadly and certainly includes banks, but also covers credit
reporting agencies and other financial institutions. FFIEC is tasked with conducting
audits and making sure banks line up with regulations, which have a strong focus on
protecting consumer information. One statement they make in their documentation is
that effective and proper key management based on industry standards is crucial.

9
 Sarbanes-Oxley (SOX)
 Any publicly traded company in the United States falls under SOX regulations. There
has been quite an increase in the focus on data privacy by SOX auditors--particularly
encryption key management and system logging. From the beginning SOX auditors
have held IT departments to high standards in terms of best practices and proper
control of data. This increased focus on data protection has developed within the last
12 months or so. Several of our customers have told us they’ve been penalized for
their insufficient encryption key management strategy by SOX auditors.

Federal and State Laws

✔ Currently 44 out of 50 states have data privacy regulations. Many organizations are
unaware of their own state’s data privacy laws, or assume those laws do not apply to
them, when in fact they almost always do.

Apart from the data security standards listed above, there is currently a proposed
federal privacy law working through congress. It is safe to assume that a new federal
data privacy law will be enacted soon.

Ultimately, regulations are becoming more stringent, not less. Fines and penalties are
getting steeper, not cheaper. And certifications are becoming more important, not
less important. Even more critical is the fact that these regulators recommend or
require that you use industry standard, NIST and FIPS 140-2 certified key
management and encryption. Without these credentials, your company may not be
compliant.

10
 KEY MANAGEMENT FOR
EVERY PLATFORM
Key management is a necessary part of encryption and compliance, and you
should be able to use key management on every platform including multi-platform
environments. Some major platforms including Microsoft SQL Server 2008, SQL
Server 2008 R2, SQL Server 2012, and IBM i V7R1 support easy and automatic
encryption with the ability to use a third-party key manager. Encryption and key
management can also be enabled on Oracle, Linux, DB2, and Windows.

In this section we’ll discuss encryption key management on two popular operating
systems: Microsoft SQL Server 2008/20012 and IBM i.

11
 ENCRYPTION KEY MANAGEMENT FOR
SQL SERVER 2008/2012
ORGANIZATIONS CONTINUE TO EXPERIENCE DAMAGING LOSSES DUE TO DATA BREACHES.
These losses include legal costs, costs to reimburse customers and employees, lost
stakeholder value, and reduction of goodwill. The estimate of these financial losses range
into the billions of dollars every year. This section highlights excerpts from the White Paper,
ENCRYPTION KEY MANAGEMENT FOR SQL SERVER 2008/2012, and outlines how Microsoft
provides for the encryption of sensitive data in its flagship SQL Server database system.

MICROSOFT SQL SERVER 2008/2012

TRANSPARENT DATA ENCRYPTION
EXTENSIBLE KEY MANAGEMENT
Transparent Data Encryption, or TDE, is a part of the
Recognizing the importance of proper key
Microsoft SQL Server Extensible Key Management
management for data security, Microsoft
system. When implemented, TDE encrypts the entire
implemented extensible key management
database table space providing security for the entire
(EKM) in SQL Server 2008. EKM is both a
database. The key management HSM contains the
new architecture for encryption key
master key that protects the entire table. Many
management services, and a new interface
Microsoft customers prefer the TDE approach to
for third party key managers. While EKM
protecting data for several reasons:
provides for local, on-server management of
encryption keys, Microsoft and third party
• It is easy to implement and does not require
security professionals recommend the use of
modification of the application.
external key management HSMs.
• They key that protects the database never leaves
the HSM, providing better security.
• The impact on performance is smaller than other
alternatives.

Using TDE with a key management HSM provides

customers with comprehensive data protection; it
matches the best practice recommendations of
security professionals and compliance auditors;
performance impacts are minimal; and it is the
Watch this video to learn how to set up TDE easiest and least expensive solution to implement.
& EKM on SQL Server in under 10 minutes!

12
 ENCRYPTION KEY MANAGEMENT FOR
SQL SERVER 2008/2012
EXTENSIBLE KEY MANAGEMENT (EKM)
AND KEY MANAGER SECURE
CONNECTIONS WITH TLS
Key management best practices require that
encryption keys be protected at all times and not be
exposed to loss as they move from the key server
HSM to the SQL Server application.
CELL LEVEL ENCRYPTION
A good key manager should use authenticated and Cell Level Encryption, or column
secure Transport Layer Security (TLS) encryption, is also a part of the
communications and standard PKI methods to Microsoft SQL Server Extensible Key
insure that critical information is protected as it Management system. When
moves to and from the key server. Your organization implemented, cell level encryption
can use existing PKI infrastructure to create the encrypts a single column of a table.
necessary X509 certificate and private keys used to Unlike TDE, the Microsoft developer
protect TLS sessions, or you can use OpenSSL to must implement cell level encryption in
generate the necessary certificates and keys. their SQL statements. For Microsoft
customers and ISVs who have legacy
Regardless of the method you use to create the applications that perform encryption,
certificates and keys, your key management HSM this may be the best way to implement
should always protect encryption keys and sensitive data protection in the SQL Server
data as it moves between SQL Server and the HSM. database.

Watch the Webinar: Encryption & Key Management on SQL

Server to Learn:
• Principles and best practices for encryption and key management
• Using EKM & TDE to easily encrypt sensitive data on SQL Server
2008/2012
• Encryption strategies for all SQL Server platforms
• Performance impacts of encryption on SQL Server
• How to easily meet compliance requirements

13
 ENCRYPTION KEY MANAGEMENT
FOR IBM i

END OF SUPPORT FOR V5R4

On September 30, 2013, IBM will end support for IBM i
V5R4. This decision will force their customers running
on V5R4 to upgrade to either V6R1 or V7R1. The most
notable difference between V6R1 and V7R1 is the new
FIELDPROC exit point capability offered exclusively in
V7R1. Short for field procedure, FIELDPROC allows a
user to identify all fields they wish to encrypt with a
third-party automatic AES encryption solution without
making application changes.

IBM i V7R1 and FIELDPROC

The newest version of the IBM i operating system,
V7R1, brings sophisticated new security tools from
IBM’s larger systems to mid-range markets. These new
features allow third-party companies such as
Townsend Security to offer NIST-certified automatic
AES encryption, so that you can now encrypt your
sensitive data without application changes.
Encryption key management used in conjunction with
FIELDPROC encryption enables IBM i customers to meet
compliance mandates such as PCI-DSS.

Encryption is only half of the solution. Without a

comprehensive encryption key management plan, an
encryption project is still weak and incomplete.

14
 TOWNSEND SECURITY:
DEDICATED TO DATA PRIVACY

Townsend Security has earned the trust of over 3,000 customers worldwide with our easy-
to-use, affordable, and comprehensive encryption and key management solutions. With over
20 years of experience in the data security industry, Townsend Security has helped some of
the largest enterprises meet their evolving compliance requirements (PCI DSS,
HIPAA/HITECH, and others) and mitigate the risk of data breaches and cyber-attacks.

Our encryption key management solutions are FIPS 140-2 certified, and our data in motion
and data at rest products are certified by NIST.

Townsend Security is committed to both our end-users and partner channel. We provide our
partners with Enterprise ready appliances with simplified distribution models that make it
easy for OEMs, ISVs, and System Integrators to be successful. Our team is dedicated to
providing training, back-end support, and marketing materials to your technical and sales
staff and remains accessible long after the training is complete.

Web: www.townsendsecurity.com
Email: [email protected]
Phone: (800) 357-1019 or (360) 359-4400
Twitter: @townsendsecure

15