VMware, SQL Server and Encrypting Private Data Townsend Security

Similar documents
VMware, SQL Server and Encrypting Private Data Townsend Security

Alliance Key Manager A Solution Brief for Technical Implementers

Alliance Key Manager A Solution Brief for Partners & Integrators

Sensitive Data and Key Management for DBAs

Alliance Key Manager AKM for AWS Quick Start Guide. Software version: Documentation version:

Dyadic Security Enterprise Key Management

Who s Protecting Your Keys? August 2018

SafeNet ProtectApp APPLICATION-LEVEL ENCRYPTION

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Virtual Machine Encryption Security & Compliance in the Cloud

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Azure SQL Database Basics

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

MySQL Enterprise Security

Channel FAQ: Smartcrypt Appliances

Key Management in a System z Enterprise

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH

Simplifying Security for IBM i and IBM Security QRadar

Vormetric Data Security

HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

Security & Compliance in the AWS Cloud. Amazon Web Services

ADDRESSING PCI DSS 3.0 REQUIREMENTS WITH THE VORMETRIC DATA SECURITY PLATFORM

Is Your Compliance Strategy Putting Your Business at Risk?

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Encryption In The Enterprise

CRYPTTECH. Cost-effective log management for security and forensic analysis, ensuring compliance with mandates and storage regulations

PCI DSS Compliance. White Paper Parallels Remote Application Server

Mitigating Risks with Cloud Computing Dan Reis

Cloud Computing, SaaS and Outsourcing

The Nasuni Security Model

FIPS Non-Proprietary Security Policy

Adding value to your MS customers

Data Security: Public Contracts and the Cloud

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

Security Camp 2016 Cloud Security. August 18, 2016

Get the Most Out of GoAnywhere: Achieving Cloud File Transfers and Integrations

Unbound and Oasis KMIP Interoperability

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

PCI Compliance Whitepaper

McAfee Database Security

SQL Server SQL Server 2008 and 2008 R2. SQL Server SQL Server 2014 Currently supporting all versions July 9, 2019 July 9, 2024

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Securing Mainframe File Transfers and TN3270

PCI Compliance Whitepaper

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Watson Developer Cloud Security Overview

Oracle Advanced Security Transparent Data Encryption (TDE)

HARDWARE SECURITY MODULES (HSMs)

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

Compliance with CloudCheckr

Auditing the Cloud. Paul Engle CISA, CIA

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

Morgan Independent Software Vendor Lead

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Layer Security White Paper

Axway Validation Authority Suite

Secured by RSA Implementation Guide. Last Modified: August 2, 2013

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Document Title: IT Security Assessment Questionnaire

TRACKVIA SECURITY OVERVIEW

Protecting Your Data With Encryption

BeOn Security Cybersecurity for Critical Communications Systems

Compliance & Security in Azure. April 21, 2018

Securing Data-at-Rest

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Cloud Customer Architecture for Securing Workloads on Cloud Services

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Data Security Overview

Canadian Access Federation: Trust Assertion Document (TAD)

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Compliance with NIST

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

Protegrity Vaultless Tokenization

Enhanced Privacy ID (EPID), 156

Vaultive and SafeNet KeySecure KMIP Integration Guide v1.0. September 2016

Contents. Notices Terms and conditions for product documentation.. 45 Trademarks Index iii

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Security by Design Running Compliant workloads in AWS

Protecting Your Data in the Cloud. Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com

Multi-Vendor Key Management with KMIP

TransKrypt Security Server

Data Encryption for VMware vcloud Hybrid Service

Secure Government Computing Initiatives & SecureZIP

Netwrix Auditor Competitive Checklist

INFO-H-415 Project Overview- Security Database and SQL Server

Vormetric Data Security Platform

Dealing with Risk and Compliance to secure your growth 16th May 2018

A broad set of policies, technologies, and controls deployed to protect data, applications, and infrastructure

White Paper. Deploying CKMS Within a Business

You Might Know Us As. Copyright 2016 TierPoint, LLC. All rights reserved.

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

AES Encryption Strategies

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Transcription:

VMware, SQL Server and Encrypting Private Data Townsend Security 724 Columbia Street NW, Suite 400 Olympia, WA 98501 360.359.4400

Today s Agenda! Compliance, standards, and best practices! Encryption and key management! Encrypting Data on SQL Server! Alliance Key Manager! What s new from Microsoft?

What is Considered Sensitive Data? Attackers are great aggregators. Losing a little PII can mean big losses for consumers and customers.! Email address! Social security number / Tax ID! Password! ZIP code! Health information! Credit card number! And much more!

Compliance Regulations Drive Encryption Your customers expect you to protect their data. Government and industry created regulations require you to protect personal data.! State and proposed Federal Privacy Notification laws! PCI Data Security Standard (PCI DSS) for Merchants and Acquirers! HIPAA Data Security and HITECH ACT of 2009 for medical providers! GLBA / FFIEC for the financial industry! FISMA for US Government agencies! Federal Trade Commission (FTC) enforcement

What Encryption Should I Use?! Use AES, RSA, Triple DES, or other standard methods! Beware of non-standard encryption! Example: Homomorphic encryption! Has not received wide review and acceptance! Cannot be certified by a standards body! Cannot achieve FIPS 140-2 validation! Compliance regulations prohibit its use The best encryption algorithms are open, vetted, and independently reviewed like AES which means NIST certified

Impacts of Encryption Performance Expect a 2-4% overhead Backup and Restore Operations Can take longer as information is encrypted and compression is less effective High Availability In the event of an interruption, you need to easily restore your keys from a backup key management solution

Why is Key Management Important?! Encryption keys are THE secret that must be protected (not the algorithm)! There are industry standards and best practices for key management (NIST)! Compliance regulations (PCI, HIPAA, etc.) require proper key management! Separate encryption control and ownership from the cloud provider

Benefits of Encryption Key Management * Global Encryption Trends

Key Management Standards NIST & KMIP! NIST Special Publication SP 800-57 Best Practices for Key Management! NIST FIPS 140-2 for certification! Key Management Interoperability Protocol (KMIP)! This is a wire protocol using SSL/TLS! OASIS standards group! Version 1.3 is complete KMIP! Base support with optional profiles! Now prevails over IEEE 1619.3, etc.

Key Management Best Practices Dual Control - Two or more people control a single procedure Separation of Duties - Different people control different procedures so that no one person controls multiple procedures Split Knowledge - Prevents any one person from knowing the complete value of an encryption key or passcode

Key Management Server & Key Retrieval TLS SECURE Key Server SQL Server Secure Key Database Logs & Audits

Key Server - Creating and Storing Keys! Creating strong Data Encryption Keys (DEK)! Creating strong Key Encryption Keys (KEK)! Defining crypto-periods for DEK, KEK! Keys have attributes

Creating Strong Symmetric Keys! Cryptographically secure pseudo random number generator! CS-PRNG! NEVER use passwords as keys

Secure Key Storage for Data Encryption Keys! Confidentiality and integrity! Separation of keys from protected data! Use of a Master Key Encryption Key (KEK)! Storage in hardware device or HSM! Defined crypto-periods for KEK, DEK! NIST defines best practices and standards

Key Attributes Name, version, activation date, expiration date, uses (signing, encryption, etc.), status, rollover, interval, integrity information, user data, etc. Order Key Active Expires 10/10/2014 Rollover Every 90 Days

Distributing Keys! Isolate keys from protected data! Secure encrypted retrieval with TLS 1.2! Wire vs. API implementation! Mutually authenticated retrieval! Client platform support! Import & export - Interoperability

Access Controls! End-point authentication! User authentication! Group or role-based controls! Access audit

Key Access and Business Recovery! Backup and recovery! High Availability! Backup on schedule! Secure transfer of DEK and KEK! Backup and restore audit

Systems Management! Server management separate from key management! Network configuration (address, gateway)! Server security (users, passwords, firewall, )! Problem collection and reporting! System logging and log rotation! System date/time management

Log Collection and Audit! Collect logs and transmit to log collection server or SIEM solution! System logs and configuration changes! Key retrieval audit logs! Key manage activity! Log rotation and compression <34> May 10 22:10:13 KeyServer retrieve: key <ORDERS> retrieved by user <Bill> from source IP <10.0.1.10>

Barriers to Deploying Encryption & Key Management Why Projects Can Be Hard! Complicated projects that require outside consultants and a lot of time! Vendor sample code missing or poor quality! Lacking in client-side applications! Complex evaluation procedures! Complex and hard to predict licensing

Encryption and Key Management in VMware Challenges, Best Practices & What to Know:! VMware is NOT responsible for YOUR breach! VMware segmentation (managing multi-tenancy)! Business recovery Production and High Availability! Backup and restore! Hybrid environments more the rule than the exception! VMware has reference architectures very helpful!

Alliance Key Manager Available Platforms Support for every platform with a common interface! Hardware Security Module (HSM)! Cloud HSM! Virtual Machine VMware! Cloud VM AWS (AMI), Azure, IBM Cloud, vcloud Microsoft Azure

Alliance Key Manager: System Capabilities Secure key storage Secure key retrieval Access controls for users and groups In-depth system logging Full-function audit trails Key import and export abilities Secure console administration Dual control capability Separation of duties enforcement Robust metadata capability

Encryption as a Service! Use NIST-compliant AES encryption! Encryption key never leaves the server! Use cases: web applications, cloud applications, kiosks

Alliance Key Manager: Ready to Use! Creates Certificate Authority unique to you! Creates Web server certificates and private keys unique to you! Creates a set of encryption keys unique to you! Creates client-side certificates and private keys unique to you A fully functional key management solution ready to use in SECONDS!

Alliance Key Manager for VMware! Same FIPS 140-2 compliant technology as in HSM! Lower operational costs and IT footprint! Accelerate deployment of missions critical security technology! Supports VMware ESXi, vsphere, and vcloud! VMware Technology Alliance Partner (TAP)

Alliance Key Manager HSM Hardware Security Module! FIPS 140-2 compliant! Full life-cycle management of encryption keys! For enterprises who want a redundant hardware, tamper evident HSM

Alliance Key Manager Cloud HSM: More Secure, Less Risk! Same security as an HSM, but in the cloud! You hold your keys independent of cloud provider! Data flows bi-directionally from Cloud HSM to cloud provider! Retain control of of key generation and distribution! Not a shared resource (no multi-tenancy)

Alliance Key Manager in the Cloud! Same FIPS 140-2 compliant technology as in HSM! Key management in public or virtual private clouds (VPC)! Supports all IaaS and PaaS application environments Microsoft Azure

A Hybrid Approach?! HSM provides keys to cloud! Cloud VM mirrors to HSM! HSM mirrors to VMware! Always have physical access to your keys

Alliance Key Manager for SQL Server Enterprise Edition Encryption and key management with no programming! Easily integrates with Microsoft SQL Server! Supports TDE & EKM! Supports Cell Level Encryption

Activating the EKM Key Protection is Easy: use master; create asymmetric key rsa_key_1 from provider KeyConnection with provider_key_name = 'RSA-KEY-1', creation_disposition = open_existing; use cartagena; create database encryption key with algorithm = AES_256 encryption by server asymmetric key rsa_key_1; alter database cartagena set encryption on;

Alliance Key Manager for SQL Server Standard & Web Editions No EKM, No Problem! Software libraries for.net applications! Supports CLR implementation! Ideal for Standard and Web Editions! Partnering with NetLib for folder/tde approach

Automated Encryption Using C# using System; using System.Collections.Generic; using System.Linq; using System.Security.Cryptography; using System.Text; using Microsoft.SqlServer.Server; using Townsend.Alliance; public class EncryptDecryptUdf { #region Public Methods and Operators // The SqlFacet attribute defines these as varbinary(max) for data up to 2^31-1 bytes long. ADD Alliance Key Manager Client Assembly DLL Insert call to: Retrieve a key On-board encryption module.cs

Alliance Key Manager for Your Applications SDKs and Sample Source Code for Developers Binary key retrieval and encryption libraries are provided for all major operating systems! Java! Microsoft.NET (C#)! C/C++! Perl, Python, Ruby, PHP! Oracle PL/SQL! RPG/COBOL

What s new from Microsoft?! SQL Server 2016 EKM Provider architecture lives on! Always Encrypted SQS 2016 client-side implementation! Positioned as cloud protection! On-going improvements in Azure / SQL Server security! SQL Server Integration Services (SSIS) enhancements

Any Questions About VMware, SQL Server and Encryption Key Management? > Secure Keys. Meet Compliance Requirements. Securely manage keys for data encrypted on ANY platform: Windows Linux, UNIX, IBM i, IBM z FIPS 140-2 compliance Low cost. Comprehensive solution. Contact Townsend Security: patrick.townsend@townsendsecurity.com 800.357.1019

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback