During an internal audit, a large midwestern insurance company discovered that it was not meeting its contractual obligations for data protection. One of the company’s largest customers required PCI-DSS compliant security for its data, which was stored in a SQL database. The database was not encrypted, exposing the customer’s data to potential misuse and jeopardizing one of the insurance company’s most important business relationships. Bringing the database into compliance quickly became a top priority for the company’s senior leadership.
While evaluating its data security strategy, the insurance company also recognized that it was not meeting its internal security standards for company data. Of particular concern were file servers containing Personally Identifiable Information (PII) relating to the company’s employees. The company determined that it needed to address this internal concern as well as its obligation to protect customer data.
The insurance company set an aggressive timeframe for resolution of its data security challenges, in order to meet its contractual obligations and secure its data before a breach occurred. The company also identified several criteria that its data protection solution would need to meet:
- Protection for customer data in the SQL database would need to be PCI-DSS compliant, as required by the customer.
- Encryption would need to be transparent to end users, allowing existing workflows to continue without disruption.
- Encryption and decryption needed to be non-resource-intensive to ensure high performance in the company’s environment.
After reviewing several potential solutions, the insurance company had not yet found a suitable vendor. No offerings were able to meet all of their requirements without the need for expensive new appliances, which the company determined would add unacceptable costs and complexity to the project.
The insurance company then contacted PKWARE and began to evaluate PKWARE Transparent Data Encryption (TDE) as a potential solution. It soon became clear that PKWARE could meet the company’s requirements and provide several additional benefits:
- The PKWARE Enterprise Manager control panel provided greater ease of use than any other TDE product.
- PKWARE’s integration with Active Directory allowed the company to implement separation of duties for activities relating to both the SQL database and internal file servers.
- PKWARE did not require downtime in order for administrators to rotate encryption keys
- PKWARE also did not require a separate appliance or any other additional hardware
PKWARE allowed the insurance company to meet its obligations and internal standards while protecting data at rest from internal and external threats. PKWARE’s ease of implementation ensured a smooth process that was complete ahead of the company’s target date.
With PKWARE TDE in place, the company was able demonstrate its compliance with its customer requirements and avoid any negative consequences from a failure to protect its data. The addition of PKWARE TDE did not require any changes to end user workflows, and has proven to be an easy-to-manage, highly cost-effective solution that fully addressed the company’s needs.