A Data Encryption Service For Cloud Servers


Compliance has become a critical issue for private enterprises and public organizations. Server General TDE can help customers achieve regulatory compliance with ease. Here are some of the main features that are designed to enable compliance.

Data Encryption

Server General TDE uses the Advanced Encryption Standard (AES) algorithm to encrypt data. Thus we are able to meet or exceed the encryption standard requirement defined as “AES-compatible” by the IETF/IRTF Cipher Catalog and by the National Institute of Standards and Technology (NIST) publication FIPS 140-2.

Key Management

Server General TDE helps generate, store, distribute and manage data encryption keys in a secure and compliant manner.

Access Control

Today’s servers are not designed with data security in mind. It is very difficult to restrict system administrator’s access in a manner that does not impede their ability to do their job while disallowing them from accessing the sensitive data sets stored on the server. Most network, system and cloud administrators are granted access to system resources that far exceeds any rational notion of data security. A malicious privileged insider can easily abuse their powers and gain access to the sensitive information thereby exposing the business entity to all kinds of litigation and/or fines. Server General TDE provides protection against a malicious "root" user. It uses role-based management in order to limit access to the sensitive data sets.

Log Management

It is imperative for businesses to be able to prove to their auditors that they are in full control of their regulated information when it comes to access. This task is accomplished through extensive logging of all access grants and their usage. However, these log files can be easily tampered with by a malicious insider or an outsider. Server General TDE prevents this from happening by storing each log event at four locations within and outside of the administrative domain of a customer.

SG-TDE and HIPAA/HITECH Compliance

Data Encryption
Server General TDE implements encryption at the OS layer which enables it to transparently encrypt ePHI stored in a database or a file server. The algorithm used to encrypt data is AES – the same algorithm that is used by banks and the U.S. government.

45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)
“The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.”

Key Management
Server General TDE offers key management as part of its service. The encryption keys are stored in a highly secure appliances that can be deployed on-premises or within our cloud. The keys are stored away from the encrypted ePHI.

164.312 (a)(2)(iv)164.312 (e)(2)(i)
“To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”

Access Control
Server General TDE uses advanced access control mechanisms that disallow unauthorized accesses to ePHI using operating system exploits. System administrator (or the “root” user) is unable to view the protected ePHI data sets in cleartext format. Server General TDE prevents malicious parties from circumnavigating the application access controls.

“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access Management].”

Log Management
Server General TDE logs every privileged operation. All log events are stored locally as well as in remote servers away from the reach of an administrator. This prevents a privileged insider from altering log files to hide their malicious activity.

164.312 (b) Audit Controls

164.308 (a)(1)(ii)(D) Information System Activity Review