Making the Grade with Encryption and Key Management| May 11, 2020
At Concensus, we believe that partnerships provide the best options for our customers. We’ve recently partnered with Townsend Security, to provide critical key management and encryption services—not only for on-premise needs but also the ability to encrypt virtual machines hosted in Concensus Cloud. That’s why we’re proud to announce our new partnership with Townsend, which offers best-in-class key management and encryption servers for virtual machines, databases, and storage.
Offering better cybersecurity and data encryption protection is essential for all of our customers. Still, it is especially critical for schools, universities, and higher education institutions.
The Case for Encryption
It shouldn’t be a surprise that the education sector is a top target for data thieves. Higher education institutions, in particular, collect and store a wealth of private information. Beyond student names and grades, colleges and universities also maintain student and employee Social Security numbers, employee bank account numbers, healthcare information, and other personally identifiable information (PII).
According to a 2019 IBM study, the cost of a data breach in this area averages $4.77 million or $142 per record, which is not a trivial number. Fortunately, the use of encryption can help reduce the risk of a breach and lower the cost of a breach if it happens. The same study states that extensive use of encryption can lower the average cost of a breach by $360,000.
Aside from the risk of a data breach, data security compliance regulations are another significant driver for encryption. When considering a typical university, many different data security compliance regulations are applicable, and more often than not, require encryption and key management. For example:
- Does the university take credit cards? If yes, they fall under PCI DSS.
- Is there information about student loans? That is covered under GLBA/FFIEC.
- Is there a student wellness center? HIPAA is a key factor.
- Additionally, the Family Educational Rights and Privacy Act (FERPA) is a consideration.
Deploying Encryption & Key Management
It has been said that encryption is the hardest part of data security, and key management is the hardest part of encryption. Our partnership between Concensus and Townsend brings our customers the best of both scenarios and makes encryption and key management easier and more affordable than ever.
First, let’s talk about encryption. Strong 256-bit AES encryption is now practically everywhere. Databases like Microsoft SQL Server, MySQL Enterprise and CGE, and MongoDB Enterprise, as well as core infrastructure like VMware vSphere, now include encryption built right into the products.
Now let’s talk about key management. After seeing too many data breaches due to encryption keys stored in databases or applications, these same vendors realized that key management is just as important as encryption. So, they built-in facilities that allow users to store and manage their encryption keys in a separate system called a Key Management Server (KMS). Generally (but not all), these solutions support the Key Management Interoperability Protocol (KMIP), which makes encryption and key management a breeze. Townsend Security’s Alliance Key Manager, for example, is KMIP compliant and not only allows IT teams to separate encryption keys from the data they protect, but also manage these keys through their entire lifecycle, from generation to destruction.
When considering encryption key management solutions, look for solutions that have been through a FIPS 140-2 validation and are KMIP compatible. Not all key managers are standards-based or have been through a validation. Think about it this way: Would you feel comfortable investing your time and money going to an unaccredited school? Here are some additional considerations:
- Is the key manager in a shared environment that locks you into a particular CSP?
- What is the pricing structure? Are you charged by the key or connection?
- Is the solution cloud agnostic?
What if My Database or Application Doesn’t Support Encryption or Key Management?
Not all databases and applications support encryption. However, you are likely running a version of VMware that does, and it is standards-based, KMIP compatible, and easy-to-deploy.
Furthermore, VMware has developed excellent guidance that is available on their website on how to install databases into an encrypted vSAN. If you are an Oracle customer, for example, and feel like you can’t afford the expense of upgrading to Oracle Enterprise with Advanced Security to get encryption, VMware has your back. By doing this, educational institutions can affordably meet regulatory compliance and protect their sensitive data. The same is true for other databases.
The case is strong for encryption and key management, which are affordable and easy-to-install, is clear. Encryption projects have gone from taking teams of people six months to deploy, to an afternoon by a single DBA. With partners like Concensus and Townsend Security, there is no reason to leave private information un-encrypted and susceptible to a data breach.
To get started, contact the team at Concensus for a free cybersecurity analysis.