Ebook TheEncryptionGuide
Ebook TheEncryptionGuide
ENCRYPTION
GUIDE
Most high profile data breaches result in a lot should be encrypted, or know if their data is
of finger pointing with little discussion about being encrypted at all.
what actually went wrong, and how other
companies can prevent suffering a similar In this eBook designed for IT professionals
fate. Unfortunately, it is often revealed that and executives, we will discuss how critical
some of the largest data breaches could encryption is to your business continuity,
11001010100101010010101010101010111001001100101
have been prevented had the organization how a solid encryption plan can help protect
01001010101010101100110111000011010111001101000
used proper encryption and encryption key
management where it was needed.
your business in the event of a data breach,
and encryption best practices that will
01101 110010101001010100101010101010101110010011
Unencrypted sensitive data is a dangerous
ensure your data security plan is effective
and defensible, and keep you and your
reality for most businesses. It’s an issue customers safe. 00101
complicated by the fact that sensitive data
01001010101010101100110111000011010111001101000
is typically processed and stored in many While encryption is only a component
disparate, fragmented locations so that of a holistic security solution that should
administrators and business leaders alike also01101 110010101001010100
include people, process, and other
aren’t certain where their data is, if they’re technologies, it is a mission critical
handling unknown sensitive data, which data component of the 101011101010101010
solution.
010011001010100101010101010110011011100
001101011100110100001101 11001010100101
0100101010101010101110010011001010100101010101
01011001101110000110
1011100110100001101 110010101001010100101
01010101010111001001100101010010101010101011001
THE
ENCRYPTION
COMPANY 1011100001101011100110100001101 4
11001010100101010010101010101010111001001100101
What is Encryption?
A Non-Technical Overview
With the ongoing increase in corporate data breaches and identity theft, many
businesses choose to encrypt sensitive data primarily in order to help protect
themselves in the event of a breach. This strategy often helps a company meet or
exceed compliance regulations as well.
Many organizations decide to encrypt sensitive data because their industry requires
it, or because they have recently failed a security audit and must comply within a set
timeframe. When deciding to encrypt sensitive data you must first ask yourself these
questions:
•
1001001100101010010101010101
Where is my data located?
of PCI-DSS 01100
• 11011100001101011100110100001
Which industry regulations do I fall under? 101 1
• 001010100101010010101010101
What do those regulations say about data 01011
security and encryption?
001001100101
01001010101010101100110111 0
000110101110011010000110
110010101001010100 Download Now
101011101010101010
010011001010100101010101010110011011100
001101011100110100001101 1100101010010
010010101010101010111001001100101010010101010
THE 01011001101110000110
ENCRYPTION
COMPANY 1011100110100001101 11001010100101010010 7
0101010101011100100110010101001010101010101100
The regulations outlined below are the most common industry data security regulations.
All of these require encryption to protect customer and consumer data.
If you take or process credit card information, you fall under PCI DSS
PCI DSS standards. This means that you must encrypt credit card information when it is
at rest or in motion and protect encryption keys in accordance with Section 3.
01101 110010101001010100101010101010101110010011
The Gramm-Leach-Bliley Act and Federal Financial Institutions Examination
Council regulate data security in the financial sector. Under these regulations
GLBA-FFIEC 00101
the financial industry is defined broadly and includes banks, credit unions, trust
companies, insurance companies, and brokerage firms, but also covers credit
01001010101010101100110111000011010111001101000
reporting agencies and other financial institutions.
0100101010101010101110010011001010100101010101
01011001101110000110
1011100110100001101 110010101001010100101
01010101010111001001100101010010101010101011001
THE
ENCRYPTION 1011100001101011100110100001101
COMPANY 8
Know What to Encrypt
Each regulation mentioned in the previous section outlines the types of data that need
to be encrypted. In general, data that needs to be encrypted is personally identifiable
information (PII) that identifies a person’s financial, cardholder, or health information, and
is often information that can be used to commit theft or fraud. With the vast amount of
personal information that gets collected by credit card, health, financial, and commerce
organizations, today information such as email addresses, usernames, and passwords
are considered PII by some regulations and state data privacy laws, and must also be
encrypted.
Knowing what regulations your organization falls under will inform you to what you
should encrypt.
PCI DSS
11001010100101010010101010101010111001001100101
Primary Account Numbers (PAN)
01001010101010101100110111000011010111001101000
HIPAA/HITECH
Health organizations and business associates should protect Protected
Health Information (PHI) as defined by the latest HIPAA/HITECH Act rules. This
01101 110010101001010100101010101010101110010011
includes Personally Identifiable Information (PII) as well as patient treatment
information.
010011001010100101010101010110011011100
Many states require breach notification if an individual’s first name (or first let-
Federal & State 001101011100110100001101 11001010100101
ter of the first name) and last name are exposed in conjunction with their social
Laws security number, health information, or cardholder information, and neither
0100101010101010101110010011001010100101010101
pieces of data are encrypted. Breach notification is also required if an indi-
vidual’s email address is exposed in conjunction with a password or security
question, and this data is unencrypted.
01011001101110000110
1011100110100001101 110010101001010100101
01010101010111001001100101010010101010101011001
THE
ENCRYPTION 1011100001101011100110100001101
COMPANY 9
Know Where to Encrypt
Locating sensitive data is a critical first step to creating
a holistic security solution. Many IT administrators know Webinar:
that this step can be the most difficult, especially in Encryption & Key
Management
larger enterprises where each department uses different
Everywhere Your Data is
methods and means of handling and storing data. Luckily,
today solutions exist that centralize the encryption
process across the company in a consistent and
affordable way, regardless of where the data is located.
1011100110100001101 110010101001010100101
HSM Hyper-V
IBM Power Systems
etc.
01010101010111001001100101010010101010101011001
THE
ENCRYPTION 1011100001101011100110100001101
COMPANY 10
11001010100101010010101010101010111001001100101
Encryption Best Practices
A successful encryption solution relies on how well you implement best practices
around people, process, and technology. A poorly executed encryption project can
leave you vulnerable. Encryption solutions that tend to fail are do-it-yourself or “in-
house” encryption projects that cut corners, have no certifications, and fail to encrypt
all sensitive data and protect encryption keys. In a study of the certification program,
NIST found nearly 50 percent of software vendors had errors in their encryption
solutions. It isn’t easy to get encryption right. A certificate of validation from NIST is
your assurance that AES encryption does what it is supposed to do. Every time.
In order to have a successful encryption solution you must utilize industry standard
encryption methodologies, encryption key management, use NIST validated solutions,
and follow administrative and technological best practices such as dual control and
separation of duties. Here’s why:
11001010100101010010101010101010111001001100101
01001010101010101100110111000011010111001101000
Standards-Based Encryption
01101 110010101001010100101010101010101110010011
Selecting the right encryption technology to protect data at rest is important. Some 00101
encryption technologies, such as DES, do not provide enough security now that
01001010101010101100110111000011010111001101000
computers have become so powerful. Other encryption technologies are secure
01101
today, but will soon not meet the minimal requirement 110010101001010100
for security due to technological
advancements. Triple DES falls into this category. Other encryption technologies are
101011101010101010
secure, but do not satisfy federal and international standards. Twofish and Blowfish are
examples of this type010011001010100101010101010110011011100
of encryption technology.
001101011100110100001101 11001010100101
One encryption technology meets all of the requirements for strength, longevity, and
0100101010101010101110010011001010100101010101
regulatory approval – the Advanced Encryption Standard (AES). AES has been adopted
01011001101110000110
by the federal government as an approved encryption technology under the
1011100110100001101 110010101001010100101
01010101010111001001100101010010101010101011001
THE
ENCRYPTION
COMPANY 1011100001101011100110100001101 11
11001010100101010010101010101010111001001100101
FIPS-197 standard. AES is accepted by the Health Insurance Portability and
Accountability Act (HIPAA), and is accepted by all credit card issuers for data security
including Visa, Mastercard, Discover, American Express, JCB, and others. AES has also
been incorporated into Pretty Good Privacy (PGP) encryption which is used by banks,
insurance companies, benefits providers, and most major financial institutions for
securing data in motion.
Selecting a data security solution based on AES is a safe and wise decision. It provides
the best encryption security, the best regulatory coverage, and the best position for
future development.
The protection of encryption keys, also called encryption key management, is critical to
11001010100101010010101010101010111001001100101
successful encryption. In fact, it is so crucial that most industry compliance regulations
01001010101010101100110111000011010111001101000
require or strongly recommend the use of an encryption key manager.
01101 110010101001010100101010101010101110010011
When you encrypt sensitive data, a key is used to “lock” the
eBook
data on encryption and also created to “unlock” the data00101 How To Guide
on decryption by authorized users. If that key is stored on Encryption & Key
0100101010101010110011011
the same server as your encrypted data, then any hacker
Management Best Practices 1
0000110101110011010000110
or malicious intruder will be able to decrypt and access 1
plaintext data resulting in a data breach. In order to prevent
110010101001010100
this you must store encryption keys in a separate location
away from the encrypted data 101011101010101010
in a hardware security module
01001100101010010101010101011
(HSM), virtual appliance, or cloud key manager—dedicated 001
key servers that store and manage encryption keys for data
in databases, virtual systems, or the cloud. 1011100
001101011100110100001101 Download Now
11001010100101
0100101010101010101110010011001010100101010101
THE
ENCRYPTION
COMPANY 01011001101110000110 12
1011100110100001101 110010101001010100101
Encryption Key management
Not protecting your encryption keys is a lot like leaving your house in the
morning and taping your key to the front door. It would be easy to find your key
there, but you’re practically inviting an unwanted intruder.
eBook:
ENCRYPTION KEY MANAGEMENT SIMPLIFIED
Download Now
THE
ENCRYPTION
COMPANY
Certifications
Using NIST validated AES encryption and FIPS 140-2 compliant key management is
critical to ensuring that your security solution will stand up to scrutiny in the event
of a data breach. These certifications are difficult to acquire and are only given to
encryption and key management systems that have been heavily tested against
government standards. Using trusted third-party systems is typically the easiest way
to acquire and implement this technology. Many industry regulations require that your
security solutions have these certifications.
NIST Validated AES Encryption - The National Institute of Standards and Technology
(NIST) established AES as the highest standard for encryption in 2001. AES supports
nine modes of encryption, and NIST defines three key sizes for encryption: 128-bit, 192-
11001010100101010010101010101010111001001100101
bit, and 256-bit keys. Any encryption that you use to protect data at rest should be AES
01001010101010101100110111000011010111001101000
standard encryption. When encrypting data in motion, use industry standard encryption
such as PGP.
01101 110010101001010100101010101010101110010011
FIPS 140-2 Compliant Key Management - The highest standard for encryption key 00101
management is the Federal Information Processing Standard (FIPS) 140-2 issued
01001010101010101100110111000011010111001101000
by NIST. A key management hardware security module (HSM) with NIST FIPS 140-2
compliance will offer the highest level of security01101 110010101001010100
for your company.
101011101010101010
010011001010100101010101010110011011100
001101011100110100001101 11001010100101
0100101010101010101110010011001010100101010101
01011001101110000110
1011100110100001101 110010101001010100101
01010101010111001001100101010010101010101011001
THE
ENCRYPTION 1011100001101011100110100001101
COMPANY 14
11001010100101010010101010101010111001001100101
About Townsend Security
110010101001010100101
customers meet evolving compliance
requirements and protect sensitive
01010101
010111001001100101010
information. 01010101
0101011001101110000110 101110011
0100001101 110010101001010100101010101010101110
Web: www.townsendsecurity.com/partners
Email: [email protected]
Phone: (800) 357-1019 or (360) 359-4400 01001100101
01001010101010101100110111000011010111001101000
Twitter: @townsendsecure
01101 110010101001010100
101011101010101010
010011001010100101010101010110011011100
001101011100110100001101 11001010100101
0100101010101010101110010011001010100101010101
01011001101110000110
1011100110100001101 110010101001010100101
01010101010111001001100101010010101010101011001
1011100001101011100110100001101