VMware, SQL Server and Encrypting Private Data

Slides:



Advertisements
Similar presentations
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Advertisements

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Dell Compellent and SafeNet KeySecure
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
PRESIDIO.COM MARCH  Presidio Overview  What’s New in VDP and VDPA  VDPA Features  Backup and Restore Job Creation  Q&A.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
SEC835 Practical aspects of security implementation Part 1.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
System Center Lesson 4: Overview of System Center 2012 Components System Center 2012 Private Cloud Components VMM Overview App Controller Overview.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Alliance Key Manager for Windows Azure Puts Encryption Key Management and Data Breach Security at Your Fingertips COMPANY PROFILE: TOWNSEND SECURITY Townsend.
KMIP - Hardware Security Modules Meta-Data-Only (MDO) Keys Saikat Saha & Denis Pochuev Feb 2012.
© 2014 VMware Inc. All rights reserved. Cloud Archive for vCloud ® Air™ High-level Overview August, 2015 Date.
KeepItSafe Solution Suite Securely control and manage all of your data backups with ease, from a single location. KeepItSafe Online Backup KeepItSafe.
Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.
SQL Server Encryption Ben Miller Blog:
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Clouding with Microsoft Azure
Veeam software Risk Mitigation and Protection
Dev and Test Solution reference architecture.
Automatic Encryption with FIELDPROC
Security on OpenStack 11/7/2013
Univa Grid Engine Makes Work Management Automatic and Efficient, Accelerates Deployment of Cloud Services with Power of Microsoft Azure MICROSOFT AZURE.
THE BATTLE OF CLOUDS Openstack vs. Amazon
Dell Compellent and SafeNet KeySecure
What is it ? …all via a single, proven Platform-as-a-Service.
Dev and Test Solution reference architecture.
VIRTUALIZATION & CLOUD COMPUTING
Dev and Test Solution reference architecture.
Barracuda Networks Creates Next-Generation Security Solutions That Enable Customers to Accelerate Their Adoption of Microsoft Azure MICROSOFT AZURE APP.
Using Azure Key Vault for Encrypting and Securing your Cloud Workloads
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
Dev and Test Solution reference architecture.
Security and Encryption
SMS+ on Microsoft Azure Provides Enhanced and Secure Text Messaging, with Audit Trail, Scalability, End-to-End Encryption, and Special Certifications MICROSOFT.
Dev and Test Solution reference architecture.
CS691 M2009 Semester Project PHILIP HUYNH
KMIP Key Management with Vormetric Data Security Manager
Replace with Application Image
KMIP Key Management with Vormetric Data Security Manager
Enterprise Key Management with OASIS KMIP
Enabling Encryption for Data at Rest
Interlake Hybrid Cloud Management Suite
Introduction to z/OS Security Lesson 4: There’s more to it than RACF
Enabling Encryption for Data at Rest
Be Better: Achieve Customer Service Excellence and Create a Lean RMA and Returns Process with Renewity RMA and the Power of Microsoft Azure MICROSOFT AZURE.
CS691 M2009 Semester Project PHILIP HUYNH
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Organization for the Advancement of Structured Information Standards
The Only Digital Asset Management System on Microsoft Azure, MediaValet Is Uniquely Equipped to Meet Any Company’s Needs MICROSOFT AZURE ISV PROFILE: MEDIAVALET.
Data Security for Microsoft Azure
Datacastle RED Delivers a Proven, Enterprise-Class Endpoint Data Protection Solution that Is Scalable to Millions of Devices on the Microsoft Azure Platform.
Crypteron is a Developer-Friendly Data Breach Solution that Allows Organizations to Secure Applications on Microsoft Azure in Just Minutes MICROSOFT AZURE.
Dell Data Protection | Rapid Recovery: Simple, Quick, Configurable, and Affordable Cloud-Based Backup, Retention, and Archiving Powered by Microsoft Azure.
ARM and Compliance Vishwas Lele & Jason McNutt
RKL Remote key loading.
Dev and Test Solution reference architecture.
A 5-minute overview of ADAudit Plus
Secure/Encrypt SQL Server Database With TDE
Compliance in the Cloud
Day 2, Session 2 Connecting System Center to the Public Cloud
Features Overview.
06 | SQL Server and the Cloud
Presentation transcript:

VMware, SQL Server and Encrypting Private Data PNW SQL Server User Group Townsend Security 724 Columbia Street NW, Suite 400 | Olympia, WA 98501 | 360.359.4400 | www.townsendsecurity.com

Today’s Agenda What’s new from Microsoft? Compliance, standards, and best practices Encryption and key management Encrypting Data on SQL Server Alliance Key Manager www.townsendsecurity.com

What’s new from Microsoft SQL Server 2016 Always Encrypted Azure SQL Server TDE Dynamic Data Masking (code changes) Row and Column level security (playing catch-up) Azure Resource Manager (ARM) www.townsendsecurity.com

What is Considered Sensitive Data? Attackers are great aggregators. Losing a little PII can mean big losses for consumers and customers. Email address Social security number / Tax ID Password ZIP code Health information Credit card number And much more! www.townsendsecurity.com

Compliance Regulations Drive Encryption Your customers expect you to protect their data. Government and industry created regulations require you to protect personal data. State and proposed Federal Privacy Notification laws PCI Data Security Standard (PCI DSS) for Merchants and Acquirers HIPAA Data Security and HITECH ACT of 2009 for medical providers GLBA / FFIEC for the financial industry FISMA for US Government agencies Federal Trade Commission (FTC) enforcement www.townsendsecurity.com

What Encryption Should I Use? Use AES, RSA, Triple DES, or other standard methods Beware of non-standard encryption Example: Homomorphic encryption Has not received wide review and acceptance Cannot be certified by a standards body Cannot achieve FIPS 140-2 validation Compliance regulations prohibit its use The best encryption algorithms are open, vetted, and independently reviewed like AES – which means NIST certified www.townsendsecurity.com

Impacts of Encryption Performance – Expect a 2-4% overhead Backup and Restore Operations – Can take longer as information is encrypted and compression is less effective High Availability – In the event of an interruption, you need to easily restore your keys from a backup key management solution www.townsendsecurity.com

Why is Key Management Important? Encryption keys are THE secret that must be protected (not the algorithm) There are industry standards and best practices for key management (NIST) Compliance regulations (PCI, HIPAA, etc.) require proper key management Separate encryption control and ownership from the cloud provider www.townsendsecurity.com

Benefits of Encryption Key Management * Global Encryption Trends www.townsendsecurity.com

KMIP Key Management Standards – NIST & KMIP NIST Special Publication SP 800-57 Best Practices for Key Management NIST FIPS 140-2 for certification Key Management Interoperability Protocol (KMIP) This is a “wire” protocol using SSL/TLS OASIS standards group Version 1.3 is complete Base support with optional profiles Now prevails over IEEE 1619.3, etc. KMIP www.townsendsecurity.com

Key Management Best Practices Dual Control - Two or more people control a single procedure Separation of Duties - Different people control different procedures so that no one person controls multiple procedures Split Knowledge - Prevents any one person from knowing the complete value of an encryption key or passcode www.townsendsecurity.com

Key Management Server & Key Retrieval Key Server TLS SECURE Secure Key Database Logs & Audits SQL Server www.townsendsecurity.com

Key Server - Creating and Storing Keys Creating strong Data Encryption Keys (DEK) Creating strong Key Encryption Keys (KEK) Defining crypto-periods for DEK, KEK Keys have attributes www.townsendsecurity.com

Creating Strong Symmetric Keys Cryptographically secure pseudo random number generator CS-PRNG NEVER use passwords as keys www.townsendsecurity.com

Secure Key Storage for Data Encryption Keys Confidentiality and integrity Separation of keys from protected data Use of a Master Key Encryption Key (KEK) Storage in hardware device or HSM Defined crypto-periods for KEK, DEK NIST defines best practices and standards www.townsendsecurity.com

Key Attributes Name, version, activation date, expiration date, uses (signing, encryption, etc.), status, rollover, interval, integrity information, user data, etc. Order Key Expires 10/10/2014 Rollover Every 90 Days Active www.townsendsecurity.com

www.townsendsecurity.com

Distributing Keys Isolate keys from protected data Secure encrypted retrieval with TLS 1.2 Wire vs. API implementation Mutually authenticated retrieval Client platform support Import & export - Interoperability www.townsendsecurity.com

Access Controls End-point authentication User authentication Group or role-based controls Access audit www.townsendsecurity.com

Key Access and Business Recovery Backup and recovery High Availability Backup on schedule Secure transfer of DEK and KEK Backup and restore audit www.townsendsecurity.com

Systems Management Server management separate from key management Network configuration (address, gateway) Server security (users, passwords, firewall, …) Problem collection and reporting System logging and log rotation System date/time management www.townsendsecurity.com

Log Collection and Audit Collect logs and transmit to log collection server or SIEM solution System logs and configuration changes Key retrieval audit logs Key manage activity Log rotation and compression <34> May 10 22:10:13 KeyServer retrieve: key <ORDERS> retrieved by user <Bill> from source IP <10.0.1.10> www.townsendsecurity.com

Barriers to Deploying Encryption & Key Management Why Projects Can Be Hard Complicated projects that require outside consultants and a lot of time Vendor sample code missing or poor quality Lacking in client-side applications Complex evaluation procedures Complex and hard to predict licensing www.townsendsecurity.com

Encryption and Key Management in VMware Challenges, Best Practices & What to Know: VMware is NOT responsible for YOUR breach VMware segmentation (managing multi-tenancy) Business recovery – Production and High Availability Backup and restore Hybrid environments – more the rule than the exception VMware has reference architectures – very helpful! www.townsendsecurity.com

www.townsendsecurity.com

Microsoft Azure Alliance Key Manager – Available Platforms Support for every platform with a common interface Hardware Security Module (HSM) Cloud HSM Virtual Machine – VMware Cloud VM – AWS (AMI), Azure, IBM Cloud, vCloud Microsoft Azure www.townsendsecurity.com

Alliance Key Manager: System Capabilities Secure key storage Secure key retrieval Access controls for users and groups In-depth system logging Full-function audit trails Key import and export abilities Secure console administration Dual control capability Separation of duties enforcement Robust metadata capability www.townsendsecurity.com

Encryption as a Service Use NIST-compliant AES encryption Encryption key never leaves the server Use cases: web applications, cloud applications, kiosks www.townsendsecurity.com

Alliance Key Manager: Ready to Use Creates Certificate Authority unique to you Creates Web server certificates and private keys unique to you Creates a set of encryption keys unique to you Creates client-side certificates and private keys unique to you A fully functional key management solution ready to use in SECONDS! www.townsendsecurity.com

Alliance Key Manager for VMware Same FIPS 140-2 compliant technology as in HSM Lower operational costs and IT footprint Accelerate deployment of missions critical security technology Supports VMware ESXi, vSphere, and vCloud VMware Technology Alliance Partner (TAP) www.townsendsecurity.com

Alliance Key Manager for SQL Server Enterprise Edition Encryption and key management with no programming Easily integrates with Microsoft SQL Server Supports TDE & EKM Supports Cell Level Encryption www.townsendsecurity.com

Alliance Key Manager for SQL Server Standard & Web Editions No EKM, No Problem Software libraries for .NET applications Supports CLR implementation Ideal for Standard and Web Editions Partnering with NetLib for folder/TDE approach www.townsendsecurity.com

Automated Encryption Using C# Alliance Key Manager Client Assembly DLL ADD using System; using System.Collections.Generic; using System.Linq; using System.Security.Cryptography; using System.Text; using Microsoft.SqlServer.Server; using Townsend.Alliance;   public class EncryptDecryptUdf   {      #region Public Methods and Operators      // The SqlFacet attribute defines these as varbinary(max) for data up to 2^31-1 bytes long.     Insert call to: Retrieve a key On-board encryption module.cs www.townsendsecurity.com

> Secure Keys. Meet Compliance Requirements. Any Questions About VMware, SQL Server and Encryption Key Management? > Secure Keys. Meet Compliance Requirements. Securely manage keys for data encrypted on ANY platform: Windows Linux, UNIX, IBM i, IBM z FIPS 140-2 compliance | Low cost. Comprehensive solution. Contact Townsend Security: patrick.townsend@townsendsecurity.com www.townsendsecurity.com 800.357.1019 www.townsendsecurity.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.