While the European Union (EU) does not mandate that all organizations immediately encrypt sensitive data as part of the General Data Privacy Regulation (GDPR), there is an exclusion for subject data breach notification and financial penalties for those organizations who use encryption and other security methods to protect the data. Applying these security methods after a breach will not remove the notification requirements and penalties.
Townsend Security provides encryption and key management technologies to help you meet the General Data Privacy Regulations.
Encrypt Data at Rest
Make a full inventory of all sensitive personal information that you collect and store. Use strong encryption to protect this data on servers, PCs, laptops, tablets, mobile devices, and on backups. Personal data should always be encrypted as it flows through your systems, and when you transmit it to outside organizations.
Use Industry Standard Encryption
Use industry standard encryption such as Advanced Encryption Standard (AES, also known as Rijndael). AES
is recognized world-wide as the leading standard for data encryption. Never use home-grown or non-standard encryption algorithms. The Townsend Security Alliance Key Manager solution implements certified AES encryption that meets this requirement.
Use Strong Encryption Keys
Always use cryptographically secure encryption keys and never use passwords as encryption keys or the basis for creating encryption keys. Encryption keys based on passwords will never meet minimum standards for strong encryption keys. Alliance Key Manager creates and manages cryptographically secure 128-bit and 256- bit AES keys. Keys are generated using a cryptographically secure random bit generator (CS-RBG) validated to international standards.
Protect Encryption Keys from Loss
Encryption keys must be stored away from the data they protect and must be securely managed. Manual procedures cannot accomplish the goal of proper encryption key management. Use a professional encryption key management solution to protect keys and provide different keys for different data protection needs. Alliance Key Manager implements key creation, management, and distribution and is compliant with the NIST FIPS 140-2 standard recognized and accepted worldwide.
Change Encryption Keys Regularly
Using one encryption key for a long period of time can expose you to a breach notification for historical data. Change your encryption keys on a quarterly or semi-annual basis. Alliance Key Manager can automatically change encryption keys at an interval you define.
Use Strong, Industry Standard Hash Algorithms
Use strong, industry standard secure hash algorithms when protecting passwords and other information. Never use MD5 or other weaker hash methods. Use the SHA-256 or SHA-512 methods for your hash requirements.
Use Keys or Salt with Your Hashes
When using a strong secure hash algorithm, always use an encryption key or random salt to strengthen the resulting hash value. You can use the Hashed Message Authentication Code (HMAC) method with an encryption key or use a strong encryption key under the protection of a key manager as the salt for the hash method. Alliance Key Manager can create, manage and protect the encryption keys for HMAC and salted hash operations.