MICROSOFT SQL SERVER - Townsend Security

1 ENCRYPTION &KEY MANAGEMENTMICROSOFT SQL large and small, public and private, are faced with daily challenges to protect their sensitive digital assets. These might include intellectual property, business plans and strategies, and sensitive data of employees, customers, vendors, and stakeholders. The loss of this sensitive data can be devastating to the organization and in some cas-es represents a catastrophic loss. There is no alternative to a digital existence and cybercriminals, political activists, and state actors have become more and more adept at stealing this information. MICROSOFT SQL SERVER has become a ubiquitous storage mechanism for all types of digital assets. Protecting these data assets in SQL SERVER is a top priority for business executives, Security specialists, and IT pro-fessionals.

2 This eBook looks at various ways to protect sensitive data in SQL SERVER databases using encryption the most widely recog-nized and accepted way to protect these assets. Of course, it should be noted that encryption is only one part of a larger digital Security strategy. Getting data Security right means deploying a wide set of protection technologies and human procedures. Here we are only looking at the critical Security control of Townsend , Founder & CEO, Townsend Security Page 2 CHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskerePage 3 CHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereENCRYPTION IN THE BROADEST SENSE MEANS obscuring information to make it inaccessible to un-authorized access.

3 But here we will use the term in its more precise and common use the use of well ac-cepted encryption algorithms based on mathematical proofs and which have been embodied and approved as international standards. Many approaches to encryption do not meet minimal require-ments for Security and compli-ance. Our definition of encryp-tion excludes: Homegrown methods developed by even ex perienced and talented programmers. Emerging encryption methods that are not yet widely accepted. Encryption methods that are widely accepted as secure, but which have not been adopted by standards organizations. Data substitution and masking methods not based on example of an encryption method that does meet our criteria would include the Advanced Encryption Standard (AES) which is sometimes knows as Rijndael, Triple Data Encryption Standard (3 DES), RSA, and Ellip-tic Curve encryption methods.

4 ENCRYPTIONIn the context of protecting data in a SQL SERVER data-base, the most common encryption method protecting whole databases or an individual column in a table is AES. All key sizes of AES (128-bit, 192-bit, and 256-bit) are considered secure and are appropriate for pro-tecting digital assets. Many organizations chose 256-bit AES for this purpose due to the larger key size and stronger major additional benefit of using an industry stan-dard such as AES is that it meets many compliance requirements or recommendations for the use of in-dustry standard encryption. This includes the PCI Data Security Standard (PCI-DSS), HIPAA, FFIEC, and the EU General Data Protection Regulation (EU GDPR). EBOOK:THE ENCRYPTION GUIDEDOWNLOADPage 4 CHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereIT IS NOT POSSIBLE TO DISCUSS AN ENCRYPTION strategy without discussing the protection of encryp-tion keys.

5 An encryption strategy is only as good as the method used to protect the encryption keys. Encryption algorithms such as AES and Triple DES are public and readily available to any attacker. The pro-tection of the encryption key is the core to the Security of the encrypted data. This is why Security profession-als consider the loss of the encryption key as equiva-lent to the loss of the digital assets. Once an attacker has the encryption key it is trivial to decrypt and steal the strong encryption keys and protecting them is harder that it might at first appear. The gener-ation of strong encryption keys depends on the use of random number generation schemes, and modern computers do not excel at doing things randomly. Specialized software routines are needed to generate strong encryption keys.

6 Encryption keys must also be securely stored away from the data they protect, and yet must be readily available to users and applications that are authorized to access the sensitive data. Au-thenticating that a user or application is authorized to an encryption key is a large focus of key management the years standards and best practices have emerged for encryption key management and these have been embodied in specialized Security appli-cations called Key Management Systems (KMS), or KEY MANAGEMENTE nterprise Key Management (EKM) systems. The National Institute of Standards and Technology (NIST) has taken a lead in this area with the creation of Spe-cial Publication 800-57 entitled Recommendation for Key Management . In addition to this important NIST guidance, the organization publishes the Federal Information Processing Standard (FIPS) 140-2 Security Requirements for Cryptographic Modules.

7 To serve the needs of organizations needing independent certi-fication that a key management application meets this standard, NIST provides a validation program for FIPS 140-2 compliant systems. All professional key manage-ment systems have been validated to FIPS 5 CHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereWhen protecting sensitive SQL SERVER data with en-cryption, look for these core principles of key manage-ment: Encryption keys are stored away from the data they protect, usually on specially designed Security devices or dedicated virtual services. Encryption keys are managed by individuals who do not have access to the data stored in the SQL SERVER database (Separation of Duties).

8 Encryption key management requires more than one Security administrator to authenticate before performing any critical work on keys (Dual control). Key retrieval requests from users and applications are authenticated using industry standard methods. Encryption management and key usage are logged in real time and logs are stored on secure log collection servers. Encryption key management systems have been validated to FIPS 140-2 and the Key Management Interoperability Protocol (KMIP).These are just a few of the core requirements for deploying a professional key management solution to protect your SQL SERVER :SQL SERVER ENCRYPTION OPTIONSDOWNLOADKEY MANAGEMENT (CONTINUED)Page 6 CHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereONCE WE MAKE THE DECISION TO ENCRYPT data in our SQL SERVER database we then have to decide where to implement that encryption.

9 We have a number of choices on how and where to implement encryption. We could implement it using self-encrypt-ing hard drives, or file or volume level encryption, or in applications that use the SQL SERVER database. It might help visualize these options by imaging a Five Layer Cake like this:At the very lowest level we have the disk drives that store our data. At the next level up we have the file input/output facilities provided by the operating sys-WHERE TO IMPLEMENT ENCRYPTIONSECURITY & THE FIVE LAYERStem. Then we come to the database level where SQL SERVER lives. Above that is the layer of our applications that read and write information into the database. And finally at the highest level we have the network layer services that connect our where to implement encryption has securi-ty implications.

10 Generally, the higher the layer where we implement encryption, the better Security we can achieve. But there is not a hard-and-fast rule about this. There are some tradeoffs at each layer. The only certain thing we can say is that not implementing en-cryption leaves us terribly exposed to loss!SELF-ENCRYPTING DRIVES, SSDs, ETCFILE SYSTEM (FILE/FOLDER/VOLUME) DATABASEAPPLICATIONNETWORK SERVICEPage 7 CHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereCHRISTOPHE KEREBELMy Twitter : @chriskereAT THE VERY LOWEST LAYER OF OUR CAKE WE have the physical storage mechanisms for our data. This is a hard disk drive, flash storage, or a disk array. It doesn t matter if we are using cloud infrastructure, traditional IT systems, flash storage, or a converged technology.