I am Creative

IT Security Consultant

A single place to get digital graphic and web design identity and digital certificates for your coorporation.

Welcome To Silvie Design

Who I Am And What Can I do?

I'm full service which means I’ve got you covered on your digital identity such as customized logo and website design and content right through to domain registration and hosting service suitable for small business. I also provide consultation with implementations on security software solutions for enterprise such as encryption and certificate-enabled technologies. You’ll form a lasting relationship with me, collaboration is central to everything I do.

Creative Logo/Web Design

BUY A CUSTOMIZABLE LOGO FROM GALLERY OR GET A NEW LOGO DESIGN OR LOGO MAKEOVER, GET A WEB DESIGN PACKAGE FOR SMALL-BUSINESS OWNERS (STARTING FROM ONLY $999)
service
I Offer CUSTOMIZABLE LOGOS FROM PORTFOLIO GALLERY FOR ONLY $199!, the text and colors can be customized to fit your needs and taste. * Gallery also includes logos not for sale. See My Portfolio
OR I DESIGN NEW LOGO DESIGN/LOGO MAKEOVER for your Corporate Identity or Small Business owners.

MY TYPICAL GRAPHIC DESIGN PACKAGE FOR SMALL-BUSINESS OWNERS IS STARTING FROM ONLY $999.

My services are suitable for small business with smaller budgets that require a whole package like a new logo, business card, letterhead, email signature, simple responsive website (5 pages) with map location and Domain, Hosting, and Google Registration.

I’m a 100% RISK-FREE ONLINE GRAPHIC DESIGNER, specializing in Custom Logo Design, Logo Makeovers, simple and responsive Website Design and Print Publications. I am a 100% risk-free because there is no charge if for any reason a first-time customer is not satisfied with my first design sample and have decided not to use my services. I am offering absolutely no-risk free of charge tryout of first copyrighted concept design with free initial consultation. Prices may vary for logos with exclusive rights (for example corporate identity and branding).
See My Customers' websites:

* lotuschinesekitchen
* sansonaccounting
* lmsproperty
Remember your web presence and eye-catching visual representation of your business are the keys to your lasting success.

Encryption Solution

DESIGN AND IMPLEMENTATION OF NEW PUBLIC KEY INFRASTRUCTURE ENVIRONMENTS FOR ENTERPRISE, PKI CONSULTING, UPGRADE, MIGRATION AND TROUBLESHOOTING.
service
I use the most up-to-date Microsoft Active Directory Certificate Services Role implementation methods that includes Windows Server 2019, Hardware Security Module protecting keys, best security practices and Cryptographic Standards and Guidelines as recommended by National Institute of Standards and Technology (U.S. Department of Commerce.)
If a company cares about the integrity of its data and systems, it must either deploy a PKI with an appropriate set of checks and balances or use a third party service it can trust. Failure to do so leaves an organization exposed and increasingly vulnerable.

The Root CA is the top of the certificate hierarchy. Since it contains the keys that will be used for the whole certificate infrastructure these keys need to be protected. If an attacker gained access to these keys the whole certificate infrastructure would be compromised.
During PKI engagements, I choose the right encryption for your type of business. For example SHA is a popular hashing algorithm used by the majority of SSL certificates. As computing power has increased the feasibility of breaking the SHA1 hash, I use and recommend to use only SHA 256 from now on. I choose HSMs (Hardware Security Module) that comply with Federal Information Processing Standard such as FIPS 140 Level 2 and Level 3.

Also, in order to have the full benefits of SSL certificates that are essential for data protection, the implementation has to be done correctly from the start. I deploy the role of Certificate Services that is offered as a server role in Microsoft Windows Servers in a secure way, in line with best practices, and the Root Certificate Authority and all its Issuing Certificate Authorities are protected. The deployment does not consist of only installing a role but also using an HSM to secure keys and using several servers to achieve the best PKI deployment with Certificate Revocation list checking. A properly built PKI should be a cornerstone of security for an organization and support many use cases for authentication, digital signature and encryption.

Strong Auth Solution

IMPLEMENTATION AND MANAGEMENT OF STRONG AUTHENTICATION SERVER SOLUTIONS FOR ENTERPRISE
service
Strong authentication and strong customer authentication are used interchangeably in banking and financial services, particularly where access to an account must be linked to an actual person, corporation or trust.
Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). Strong Authentication Server Products are powerful and accessible two-factor authentication systems providing secure and reliable authentication of users to online services, VPNs, intranet / extranet access, secure Internet transactions. Strong Authentication Access Servers use One-Time Passwords and mobile technologies. They support Hardware OTP Tokens (OATH event-based, time-based standards), Mobile-OTP etc. Identity Access Management also uses smart cards either with certificates or OTP module. I can deploy, configure and troubleshoot Public Key Infrastructure for Enterprise including SSL certificates and troubleshooting digital certificates and smart card issues.

WEBSITE APPLICATIONS
I also offer Deployment, Administration and Support of Web-based Business-Critical Applications (t.i. frontend servers and backend database with its interface). This includes Incident and Problem Management following ITIL (t.i. monitoring, analyzing, validating, testing and solving issues). I also do development of simple database-driven websites: (PHP, MySQL Database) such as my website: MyRecipeList

About

  • 20 years of IT Administration and Support of clients (Issue Resolution of Web Applications, PC hardware components including all Microsoft software applications & OS problems)
  • 10 years of Systems Integration, Testing and Validation, Database configuration, Monitoring, Analysis (Incident and Problem Management, ITIL practices)
  • 10 years of HTML/CSS coding, Graphic Design and Responsive Website Design, Data Processing (65 WPM)
  • 5 years of IT Security PKI Asymmetric Cryptography and 2nd Factor Authentication Solutions Design, Integration and Deployment of PKI (ADCS) with HSM (Thales/Gemalto/Safenet Products), Upgrade of Algorithm
  • Technology: Microsoft ADCS, Windows Server 2003-2019, MSSQL Server, Hyper-V Server, VMware Server, MS Office, Wireshark, Kali Linux, AWS Amazon Cloud

20 Years of

IT Help Desk, Customer Support and Administration of VIP Clients. Issue Resolution of Web Applications, PC hardware components including all Microsoft Hardware Drivers, Hardware Components, Software, Microsoft Applications & Windows Operating System Problems.

10 Years of

Deployment, Integration, Administration and Support of Web-based Business-Critical Applications (t.i. frontend servers and backend database with its interface). This includes Incident and Problem Management following ITIL (t.i. monitoring, analyzing, validating, testing and solving issues).

Online Graphic Design, specializing in Custom Logo Design, Corporate Identity, Logo Makeovers and Print Publications. (5yrs) Website Development using Responsive Bootstrap Technology Modern Coding in Httml5, CSS, JQuery, Slideshows, Flexible Photo Gallery Portfolio, FontAwesome, Custom Font, MySQL, PHP, Creative Simple Effective design with Photoshop Compatible Across All Platforms. Development of simple database-driven websites: (PHP, MySQL Database)

5 Years of

Deployment, Integration, Configuration, Administration and Support of Public Key Infrastructure deployments in Enterprise Environments and Certificate Monitoring Applications which includes 2-tier Certificate Authority, Root CA with HSM, Certificate Web Enrollment Services and Network Device Enrollment Services (MSCEP).

Deployment, Configuration, Administration and Support of Strong Authentication (Multi-Factor Authentication) Solutions includes OTP Servers (with HSM for Banking), Applications and Devices such as Mobiles, Tokens, Smart cards with OTP or PKI.

Education

2020 CompTIA Security plus Certified
2016 Problem Management Training, Prague, CZ, Problem Manager Certification
2015 Microsoft ADCS In-Depth Training, Implementation of PKI following Microsoft Best Practices, PKI Solutions, OH, USA
2014 Thales Hardware Security Module nShield, Plantation, FL, Certified Systems Engineer Training (eBanking)
2012 Windows Server 2012 Implementing/Administering Security and Configuring Windows 8, Prague, CZ
2010 Querying Microsoft SQL Server 2005 with Transact SQL, Prague, CZ
July 1999 University of Cambridge (British Art and Culture), Cambridge, UK
1997-1999 Broward Community College, Coconut Creek, FL (AA Computer Information Systems)
1995-1996 Atlantic Technical Center, Coconut Creek, FL (Info Processing, Office Support Services)
1989-1994 High School, Prague, CZ (Graphic Arts, Printing Technology, French)

Web Design Gallery

My Recent Projects, Logo Design, Business Card Design and Website Design (Responsive Website Design). Customer's packages starting $999, suitable for Small Business.
* lotuschinesekitchen.com
* sansonaccounting.com
* lmsproperty.ga
* myrecipelist.ga
* GoldenBirthdays

Move mouse or tap over an image to enlarge

Business Card Design Gallery

Move mouse or tap over an image to enlarge



Logo Design Gallery

See example of my Logo Design “Centurion Shotguns” Trademarked (Not for Sale) Century International Arms, Inc.

Move mouse or tap over an image to enlarge

Testimonials

It's been an honor working with Silvie and learning lots of new things in a very short span of time. Very open in knowledge sharing, taking self-interest while teaching (very focused and strict:-) and very good team player. She will definetely be an asset for any organization.

Author image
  • Kunal Sharma
  • Solution Architect at DigiCert
    PKI for Enterprise

I was most impressed with Silvie J's attention to time tables. I once had to produce company pamphlets overnight and she was able to modify the website, add new graphics, and print me full color brochures by the next morning on time for my meeting with clients. That is dedication. Thank you.

Author image
  • Robin Jafari, MD, MBA
  • Parasol International, LLC
    zhoobeen@aol.com

We have worked and continue working with Silvie J because she is capable of creating graphics that truly help create sales inquires. Mrs. J is very project oriented and delivers on time! We can strongly recommend her work ethics. Thank you.

Author image
  • Kurtis Draxl
  • www.vienna-coffee.com
    kurtis_draxl@yahoo.com

I want to take this opportunity to congratulate you on the web design job you have just completed for my company, ResearchCoop, and to express my deepest thanks for putting us on the global business map. You have exhibited the highest degree of professionalism in our working relationship coupled with great creative insight. The results, for all those who might be interested, speak for themselves. I should also command you on the timeliness of your work and for taking over all the steps necessary to turn our plan into reality. I heartily recommend your services to anyone who cares about superior work executed with promptness. Thank you.

Author image
  • Eli Seggev, Ph.D.
  • www.researchcoop.com
    Eli.Seggev@researchcoop.com
blog
17June

Secure Your Communications with ProtonMail

Show/Hide
End-to-End Encryption
Messages are encrypted at all times Messages are stored on ProtonMail servers in encrypted format. They are also transmitted in encrypted format between our servers and user devices. Messages between ProtonMail users are also transmitted in encrypted form within our secure server network. Because data is encrypted at all steps, the risk of message interception is largely eliminated.

Zero Access to User Data
Your encrypted data is not accessible to us ProtonMail’s zero access architecture means that your data is encrypted in a way that makes it inaccessible to us. Data is encrypted on the client side using an encryption key that we do not have access to. This means we don’t have the technical ability to decrypt your messages, and as a result, we are unable to hand your data over to third parties. With ProtonMail, privacy isn’t just a promise, it is mathematically ensured. For this reason, we are also unable to do data recovery. If you forget your password, we cannot recover your data.

Open Source Cryptography
Time-tested and trusted encryption algorithms We use only secure implementations of AES, RSA, along with OpenPGP. Furthermore, all of the cryptographic libraries we use are open source. By using open source libraries, we can guarantee that the encryption algorithms we are using do not have clandestinely built in back doors. ProtonMail’s open source software has been thoroughly vetted by security experts from around the world to ensure the highest levels of protection.
blog
22 June

The Top 6 overlooked IT Security Vulnerabilities in today’s Businesses

Show/Hide
1. Host Vulnerabilities
– No EOL policy, Not updated – How the OS/platform is configured – What services are running, programs installed, security settings enabled – Leaving host with default configuration is often insufficient – Evaluate custom configurations (example: failing to disable telnet can lead to man-in-the middle attack)
2. Software Vulnerabilities
– Zero day – Improper input handling – Improper error handling – Resource exhaustion – Memory vulnerabilities (memory leak, buffer & integer overflow, point dereference, DLL injection)
3. Encryption Vulnerabilities
– using cipher suites that are weak – poor implementations – improperly configured digital certificates (addresses don’t match, certificiate has expired, signer is not trusted) – improper key management (private keys are not secure, attackers can impersonate the organization)
4. Network Architecture Vulnerabilities
– poor network design – lack of network segmentation (web server not isolated from offline database, web server traffic isnt balanced, wireless netowrk range)
5. Account Vulnerabilties
– weak passwords that dont expire – lack of multi-factor authentication – accounts placed in wrong groups – accounts granted more privilages then necessary – unused and guest accounts not disabled
6. Operations Vulnerabilities
– untrained users – obsolete systems – lack of planning for critical business processes – lack of vendor support – undocumented assets are difficult to manage
blog
26June

Technical and Architectural Mitigations for Enterprise Against Exploits, Ransomware…

Show/Hide
Department of Homeland Security – National Cyber Awareness System – Alerts
Technical and Architectural Mitigations
- Implement and ensure robust Network Segmentation
- Require Multi-Factor Authentication
- Implement regular Data Backup
- Ensure user and process accounts are limited through Account Use Policies
- Enable strong spam filters to prevent phishing emails from reaching end users. Implement a User Training
- Filter Network Traffic (Prevent users from accessing malicious websites using Uniform Resource Locator (URL) blacklists and/or whitelists)
- Update Software including operating systems, applications, and firmware on IT network assets
- Set Antivirus/Antimalware Programs (Malwarebytes Premium or Cylance)
- Implement Execution Prevention by disabling macro scripts from Microsoft Office files transmitted via emai and via application whitelisting, which only allows systems to execute programs known and permitted by security policy.
- Limit Access to Resources over Network especially by restricting Remote Desktop Protocol (RDP)
CISA recommends the following precautions to protect users against the threat of ransomware:
- Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
- Never click on links or open attachments in unsolicited emails.
- Backup data on a regular basis. Keep it on a separate device and store it offline.
- Follow safe practices when browsing the Internet. Read Good Security Habits for additional details.
In addition, CISA also recommends that organizations employ the following best practices:
- Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
- Use application whitelisting to allow only approved programs to run on a network.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Configure firewalls to block access to known malicious IP addresses.
blog
17July

Trust and Certificates in PKI (Public Key Infrastructure)

Show/Hide
Can anyone imagine not having the comfort of knowing the websites from companies such google, yahoo, papal etc. that affect our everyday lives would not use secure transfer protocol with its trusted certificates on their website? Would you accept if you were to login to your online banking account and you would not see the prefix of https with its padlock icon and certificate in the browser anymore?

We have come to expect to deal with only business or banks that find it important enough to protect their customers from frauds and attacks.

Businesses and consumers can no longer ignore the fact that when it comes to money we are still not secure enough and we need to get serious. So why not getting more informed on how to improve digital security in order to achieve the freedom of convenience and a peace of mind?

In order to use public key infrastructure the deployment needs to be handled with careful planning, research and rules in the least. Most of us know about how to check if a dollar bill is real or fake but do we know how to check when a website with its certificate is fake?

The ability to recognize a secure web connection is extremely important as online fraud cases have increased substantially from year to year.

One of the basic things any user can do is to check the padlock icon in the status bar of the browser and understand the certificate presented. When you look at certificates of the websites we tend to trust and use the most such as google, yahoo, papal etc, you can see the chain of trust of minimum of two or three authorities.

Certificates are issued from an authority and the question becomes would you trust the authority that issued the certificate?

One of the main functions of the root, the top authority is to issue chain certificates to subordinate certificate authorities which is the first link in the chain of trust. Then there is a link of trust between the end entity certificate and the subordinate CA. In the case of an SSL certificate, the end entity certificate represents the linkage between a website owner and the website domain name. The SSL certificate is installed on the Web server along with the chain certificate. When a user browses to the website protected by the SSL certificate, the browser initiates the verification of the certificate and follows the chain of trust back to the embedded root. It isn’t technically difficult to create an SSL certificate but the hard part is that you need it to be signed by something authorized which is one of the trusted set of root certificates.

Those belong to the various certificate authorities, and are protected by strong cryptographic authentication. So, the trick isn’t making the certificate, it is getting someone to trust it. This is why Root CA is the most important and vulnerable part of PKI deployment. Not surprisingly CAs have become the focus of targeted attacks.

Since a fake certificate is not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates. Therefore there is a need to protect any device accessing the network traffic and professional PKI deployment is the answer for that.

A PKI is not an authentication method; rather it is an infrastructure that uses digital certificates as an authentication mechanism and is built to better manage certificates and their associated keys. If a company cares about the integrity of its data and systems, it must either deploy a PKI with an appropriate set of checks and balances or use a third party service it can trust. Failure to do so leaves an organization exposed and increasingly vulnerable.

The Root CA is the top of the certificate hierarchy. Since it contains the keys that will be used for the whole certificate infrastructure these keys need to be protected. If an attacker was to gain these keys the whole certificate infrastructure would be compromised.

Therefore it is paramount the root CA is installed on a stand-alone server with no network card or the network card disabled. Certificates from the root CA must be transported using removal media. Since the Root CA is not connected to the network, this helps protect the root CA certificates from attack. Additionally for the highest security, Root CA Keys can be protected by Hardware Security Module and stored in a safe after the Root Key Ceremony was completed and signed by all parties involved. Each step of PKI deployment needs to be done according to the rules especially when installing the role of Certificate Authority. It is absolutely paramount to use Enterprise Admin account to login to server in order to install this role when dealing with Enterprise environment.

When installing this role in Microsoft Windows Server 2012, we have a slightly different process as oppose to the Windows Server 2008. The install process is divided into two sections. After the first part of initial install is completed, the second part is the post-deployment configuration when there is a notification in the installation wizard that to install the following role services you must belong to the Enterprise Admin Group. However this may seem to some companies as unnecessary elevated permission and may decide it is ok to be logged in to the server as just a domain administrator or user with lower rights to start the installation wizard from the beginning when installing Certificate Authority Services. Once warned in the wizard, then Enterprise Admin is used.

If that logic is applied to the installation process it might appear as configuring subordinate issuing CA is completed correctly. However once the important part of signing or binding of trust process starts in other words when the request file is signed by Root and needs to be installed on subordinate CA it might become a problem to complete the installation of signed Issuing CA Certificate. The user might see an error message with a reason that might not seem straightforward or clear since it is saying that the new Certificate Authority certificate cannot be installed because the CA Version extension is incorrect. The most recently generated request file should be used to obtain the new certificate.

It may seem as unnecessary to use the highest privilege account to login to the Server and installing Certificate Authority Services but it is paramount since security is the focus point and reason for deploying the role. I provide consultancy as a service for enterprise companies, I have extensive experience providing solutions following the best practices from Microsoft, I choose the right encryption for your type of business. For example SHA is a popular hashing algorithm used by the majority of SSL certificates. As computing power has increased the feasibility of breaking the SHA1 hash, therefore I only recommend SHA 2 to use even if PKI is internal only. I choose hardware security modules that comply with Federal Information Processing Standard such as FIPS 140 Level 2 and Level 3. Upgrade of your internal PKI infrastructure, Migration of your PKI in order to upgrade old OS such as WS 2003 or WS 2008, Deployment and implementation of internal PKI infrastructure that follows best practices, comply with latest security standards.
blog
22 July

ENCRYPTION AS PROTECTION (Fight Cibercrime with PKI)

Show/Hide
Data breaches have become part of our daily news. Today we just have to mention the names such as Sony Pictures, Staples, UPS, Kmart, Target, Neiman Marcus, eBay, Home Depot, Apple iCloud, J.P. Morgan Chase among others and most of us know that those company names are also associated with cyber-attacks we read in the news.

Recently in the news, we have been affected by Superfish, SSL man in the middle adware that can produce self-signed certificates.

Most of us know about how to check if a dollar bill is real or fake but do we know how to check when a website with its certificate is fake?

The ability to recognize a secure web connection is extremely important as online fraud cases have increased substantially from year to year. One of the basic things any user can do is to check the padlock icon in the status bar of the browser and understand the certificate presented. When you look at certificates of the websites we tend to trust and use the most such as google, yahoo, papal etc, you can see the chain of trust of minimum of two or three authorities. It is important to check whom the certificate was issued by.

Certificates are issued from an authority and the question becomes would you trust the authority that issued the certificate?

One of the main functions of the root, the top authority is to issue chain certificates to subordinate certificate authorities which is the first link in the chain of trust. Then there is a link of trust between the end entity certificate and the subordinate CA. In the case of an SSL certificate, the end entity certificate represents the linkage between a website owner and the website domain name. The SSL certificate is installed on the Web server along with the chain certificate. When a user browses to the website protected by the SSL certificate, the browser initiates the verification of the certificate and follows the chain of trust back to the embedded root.

It isn’t technically difficult to create an SSL certificate but the hard part is that you need it to be signed by something authorized which is one of the trusted set of root certificates. Those belong to the various certificate authorities, and are protected by strong cryptographic authentication. So, the trick isn’t making the certificate, it is getting someone to trust it. This is why Root CA is the most important and vulnerable part of PKI deployment. Not surprisingly CAs have become the focus of targeted attacks.

Since a fake certificate is not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates. Therefore there is a need to protect any device accessing the network traffic and professional PKI deployment is the answer for that.

Cybercrime, as we know it, is another way of showing off criminal’s creativity as the technology progresses. Therefore, encryption of data is the primary chosen protection method which also the US financial sector will be heading towards this year. Digital security has become such an issue that even US is adopting chip cards and POS terminals that conform to the Europay, MasterCard, Visa standard.

As of October, 2015 a card issuer or merchant that does not support EMV assumes liability for fraud that results from compromised magnetic-stripe card transactions.

Apparently, a major shift in thinking has already been established that the future will be in encryption. Why is a chip more secure then magnetic stripe?

Firstly, the obvious way the chip is protecting you is eliminating cloning by for example, if you are paying for your meal at a restaurant and using your magnetic stripe card, you typically hand your card to the waiter after he brings the check. He then usually processes your transaction at the cash register, which means your card leaves your sight for several minutes, ample time to clone your card if anyone in the restaurant staff is a crook. With a chip card, a portable POS device is needed, or the customer goes to the cash register, the card being in his or her sight the whole time.

Secondly, chip cards are the standard in most parts of the world because they’re not only harder to clone as the data on chip cards is constantly changing, making it extremely hard to isolate and extract and counterfeit than their magnetic-stripe predecessors but also because chip cards are different mainly in that they have sophisticated encryption built right into the chip. When you dip a chip card instead of swiping it talks back and forth with the payment terminal in a secret language to make sure it’s actually you who’s paying.

Apparently, encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on especially in payment transactions and also in protecting the rest of your data stored and send.

So what kind of encryption do we want to choose?

For any cipher, the most basic method of attack is brute force; trying each key until the right one is found. The length of the key determines the number of possible keys, and hence the feasibility of this type of attack. Encryption strength is directly tied to key size. Any realistic algorithm is considered “strong enough” if it will take longer to decrypt the material than the information is worth with the available resources at the time. For example, if the information is my dinner plans for tomorrow, it’s likely that my encryption algorithm may only need to delay an attacker 24 hours by which time, the event will be over, and it wouldn’t matter cause you can’t find me there anymore.

Since we need to account with possibility as the affordability of computer capacity advances with time that may reduce the effort to successfully attack the algorithm method, the safe rule of thumb for most businesses is that so you want any encryption that you use to remain strong 20 years from now.

Regardless whether we need to comply with various federal and state laws in the US for example data privacy or whether we want to avoid great financial loss, recognizing the great need for appropriate encryption protection is paramount. Microsoft offers users built-in disk encryption on certain Windows editions and there are many other great products out there to solve your encryption needs.

If a company cares about the integrity of its data and systems, it must either deploy a PKI with an appropriate set of checks and balances or use a third party service it can trust. Failure to do so leaves an organization exposed and increasingly vulnerable.

The Root CA is the top of the certificate hierarchy. Since it contains the keys that will be used for the whole certificate infrastructure these keys need to be protected. If an attacker was to gain these keys the whole certificate infrastructure would be compromised.

Therefore it is paramount the root CA is installed on a stand-alone server with no network card or the network card disabled. Certificates from the root CA must be transported using removal media. Since the Root CA is not connected to the network, this helps protect the root CA certificates from attack.

Additionally for the highest security, Root CA Keys can be protected by Hardware Security Module and stored in a safe after the Root Key Ceremony was completed and signed by all parties involved.

I provide consultancy as a service for enterprise companies, I have extensive experience providing solutions following the best practices from Microsoft, I choose the right encryption for your type of business. For example SHA is a popular hashing algorithm used by the majority of SSL certificates. As computing power has increased the feasibility of breaking the SHA1 hash, therefore I only recommend SHA 2 to use even if PKI is internal only. I choose hardware security modules that comply with Federal Information Processing Standard such as FIPS 140 Level 2 and Level 3.

Please contact me if you need the following solutions for your company: Upgrade of your internal PKI infrastructure, Migration of your PKI in order to upgrade from WS 2003 or WS 2008 to WS 2016 or 2019, Deployment and implementation of internal PKI infrastructure that follows best practices, comply with latest security standards.
blog
26July

Microsoft SQL and SSL Certificates: Securing your Data with PKI

Show/Hide
In today’s corporate environment, enterprise companies are choosing to secure intellectual property and customer data to not only protect against the damage associated with data breaches but also to comply with privacy and regulatory mandates.

Luckily there are several ways to protect data included in the SQL Server Encryption Key Hierarchy. Options range from cell-level and column-level to full database encryption (TDE).

Encrypting an entire database on the hard disk using transparent data encryption is transparent and there’s no noticeable performance overhead. This is effective in protecting the data while at rest. For example, if someone were to steal a copy of the database or a backup of the data, the encryption layer would protect the data and make the database unreadable without the appropriate decryption keys.

However, data is decrypted prior to transmitting over the network, therefore, we need to think of encrypting the communication, specifically the network layer. While several options exist for the communications, SSL is the most commonly implemented method. SSL uses certificates to authenticate the server to the client and establish an encrypted communications channel with the database. Unlike other options, like IPsec, which is implemented at OS level and supports authentication using Kerberos certificates, when an SSL certificate is used it is configured on SQL server. Configuring SSL on the server is more straightforward than configuring IPsec. In addition, SSL requires minimal client configuration.

But why use SSL certificates in the first place?

Not only are they needed in today’s IT infrastructure to encrypt sensitive information as they travel across networks, but in addition to encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the correct server, since anyone can pretend to be a website where you might send your sensitive, personal and confidential data.

Hacks, breaches and leaks are all possible to avoid by using a proper Public Key Infrastructure (PKI) Root and Issuing Certificate Authority and getting an SSL Certificate from a trusted authority provider.

How do I encrypt SQL Server connections between my applications and database for the better security?

When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This way the SSL protects the connection, i.e. the data as it transits between the client and the SQL Server.

But what is the performance difference between the encryption overhead of SSL versus unencrypted socket communication?

Encryption may slow down performance because it requires extra actions on both sides of the network connection but the benefits still outweigh the performance penalty especially when clients connect to SQL servers across the public networks. The main overhead of SSL is the handshake and after negotiation there are relatively fast cyphers used.

So what else is involved when encrypting data transmission from data and the web application clients?

You may either use IIS manager to create a self-signed certificate or you can duplicate a web server template from your company’s issuing certificate authority then add it through the Certificates MMC for the computer account. Even though, it is possible to use self-signed certificates, it is recommended only when doing it for test purposes because it significantly lowers the level of security. The next step is to give the SQL server’s service account read permissions on the certificate, and choose the certificate in SQL Server’s network configuration in configuration manager. Also, you may need to append “encrypt=true” in the connection string in your applications among other things such as MSSQL Library (for example for web-based applications) etc.

In order to have the full benefits of SSL certificates, the implementation has to be done correctly from the start. For example, the role of Certificate Services that is offered as a server role in Microsoft Windows Servers is deployed in a secure way, in line with best practices, and the Root Certificate Authority and all its Issuing Certificate Authorities are protected. The deployment does not consist of only installing a role but also using an HSM (Hardware Security Module) to secure keys and using several servers to achieve the best PKI deployment with Certificate Revocation list checking. A properly built PKI should be a cornerstone of security for an organization and support many use cases for authentication, digital signature and encryption

Contact

I can work online or via W2 contract to help you with supporting your new project, with background check & clearance for government project.

Online, US/EU

+1-561-509-1281 (Voicemail/SMS)

pki@usa.com


pic

With Berthe Meijer (R.I.P.) & Gary Goldschneider (R.I.P.) in France, 2011

www.000webhost.com