+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

MongoDB World 2019 Encryption Survey

Posted by Ken Mafli on Aug 8, 2019 8:42:34 AM

This June we had a chance to participate in MongoDB World 2019 in New York City as an exhibitor. It was a great time as MongoDB professionals from around the world attended. We had an opportunity to ask them about their company's encryption and key management practices. Below are the results as well as some expert weigh-in on the findings. Enjoy!

 

MongoDB-Survey-2019

 

If you are looking to protect your encryption keys for your sensitive data in MongoDB, you need a FIPS 140-2 compliant centralized key manager that:

  • Never charges you additional fees for connecting a new end-point.
  • Never limits the number of end-points based on the model of the KMS.
  • Never limits the number of encryption keys generated or stored.
  • Never forces you to pay extra fees for software patches.
  • Never forces you to pay extra fees for routine software upgrades.
  • Always gives you unmatched customer service.
  • Always protects your keys, 24/7.

You need Alliance Key Manager for MongoDB.

Encryption and key management for MongoDB

 

Topics: MongoDB Encryption, MongoDB Encryption Key Management, MongoDB

Case Study: Indus Systems

Posted by Luke Probasco on Jul 16, 2019 8:13:57 AM

indus-LogoIT Solution Provider Helps Customer Protect vSphere and vSAN Encryption Keys with Alliance Key Manager for VMWare

 


“As our customers face new and evolving compliance regulations that require them to encrypt private data, we needed a partner that could provide easy and affordable encryption key management for VMware.

- Kushal Sukhija, Technical Director

 
Indus Systems
Indus Case StudyAs processes are becoming more complex, competitive and demanding, businesses are constantly exploring new ways to deploy effective solutions. Indus Systems (www.indussystem.com), over the years, has synchronized their team to offer best-of-breed solutions from leading technology partners, coupled with their Professional Services to help customers to protect their Information Technology investment, reduce costs and grow business. Their IT Solutions increase people efficiency, reduce infrastructure footprint, which acts as catalyst towards quantum business growth. Indus Systems thrives to be a hand-holding partner in their customers’ journey.
With over 15 years of experience and 300+ happy clients, Indus Systems offers solutions in:
  • Business Continuity
  • Core Infrastructure
  • Network & Security
  • Mobility
  • User Devices
  • Professional Services 

 

The Challenge: vSphere / vSAN Encryption Key Management

Based in India, Indus Systems is increasingly finding their financial customers concerned with meeting the Securities and Exchange Board of India (SEBI) requirements for protecting private information. According to the SEBI framework, which came into force on April 1, 2019, “Critical data must be identified and encrypted in motion and at rest by using strong encryption methods.”

JM FinancialWith SEBI’s new cyber security framework, JM Financial Asset Management Ltd turned to Indus Systems for guidance on how to better protect their data. JM Financial Asset Management Ltd, an Indus Systems customer of 10 years, were due for a technology refresh. As part of the project, the company would rely heavily on VMware and protecting private data with vSphere and vSAN encryption.

Knowing that for encryption to be truly effective it needs to be coupled with encryption key management, Indus Systems and JM Financial Asset Management Ltd visited VMware’s Solution Exchange in search of a VMware Ready key management solution.

The Solution

Alliance Key Manager for VMware

“After visiting VMware’s Solution Exchange and finding Townsend Security’s Alliance Key Manager as a VMware Ready solution that had been certified by VMware for use with vSphere and vSAN encryption, we knew that we could easily help customers like JM Financial Asset Management Ltd meet SEBI’s encryption requirements,” said Kushal Sukhija, Technical Director, Indus Systems.

With Alliance Key Manager for VMware, organizations can centrally manage their encryption keys with an affordable FIPS 140-2 compliant encryption key manager. Further, they can use native vSphere and vSAN encryption - agentless - to protect VMware images and digital assets at no additional cost. VMware customers can deploy multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability.

“Alliance Key Manager proved to be an affordable and easy to deploy solution that we will be able to offer our customers beyond JM Financial Asset Management Ltd,” continued Sukhija. “Further, as part of our due diligence, we started
a Proof of Concept (POC) with another key management vendor as well. After getting halfway through the project, we could quickly see that their solution was getting complicated and expensive - something that we could not recommend and deploy for our customers.”

By deploying Alliance Key Manager for VMware, Indus Systems was able to meet their organization’s and client’s needs to protect private data at rest in VMware.

Integration with VMware

“VMware’s native vSphere and vSAN encryption make it easy to protect VMware images and digital assets. With Townsend Security’s Alliance Key Manager, we were able to protect our data with no additional agents or additional costs as JM Financial Asset Management Ltd scales their IT infrastructure,” said Sukhija. With a low total cost of ownership, Alliance Key Manager customers can leverage the built-in encryption engine in VMware enterprise, with no limits imposed to the number of servers or data that can be protected.

By achieving VMware Ready status with Alliance Key Manager, Townsend Security has been able to work with VMware to bring affordable encryption key management to VMware customers and the many databases and applications they run in VMware Enterprise. VMware Ready status signifies to customers that Alliance Key Manager for VMware can be deployed in production environments with confidence and can speed time to value within customer environments.

Indus Case Study

 



Topics: Alliance Key Manager, Case Study

VMWare and Encryption Key Management Failover

Posted by Patrick Townsend on Jun 26, 2019 12:38:09 PM

Encryption and Key Management for VMware - Definitive GuideOne of the easiest ways to implement encryption controls in your VMware infrastructure is to activate vSphere and vSAN encryption. With vSphere encryption you can insure that all VM images are encrypted at rest, and with vSAN encryption you can set up virtual disks that are fully encrypted protecting any files that you place there. vSphere encryption was implemented in version 6.5, and vSAN encryption was implemented in version 6.6. All subsequent versions of vSphere and vSAN include these capabilities. (Note that you must be on the Enterprise or Platinum edition).

In both vSphere and vSAN the key manager is integrated using the open standard Key Management Interoperability Protocol, or KMIP. This means that any key management solution that supports the necessary KMIP interface can work as a vSphere or vSAN key manager. Our Alliance Key Manager solution implements this support, and is already in use by our VMware customers. 

The most common question we get about these new encryption features is: How do I manage failover for the key managers?

This is a great question as VMware is a part of your critical infrastructure, and key management has to work with your high availability strategy. There are two parts to this question and lets dig into both of them:

Defining Key Managers to vSphere KMS Cluster

Key managers are defined to vSphere using the option to configure the KMS Cluster. A KMS Cluster configuration allows you to define more than one key manager. So you have a readily available path for failover. The first key manager configuration is the primary key manager, and all subsequent key managers in the KMS Cluster are failover key managers. vSphere will always use the first key manager you define and treat it as the primary. 

In the event vSphere cannot connect to the primary key manager, it will try to connect to the second key manager in the KMS Cluster configuration. If that one fails it will try the third one, and so forth. The failover order is the order in which you define key managers in the KMS Cluster, so you should keep that in mind as you define the key managers.

While vSphere allows you to create multiple KMS Cluster definitions, very few VMware customers need multiple definitions. Just put your key manager definitions in a single KMS Cluster and you are set to go. 

If you have failover clusters for VMware, be sure to define the KMS Cluster for the failover environment, too!

Implementing Key Mirroring in Alliance Key Manager

Now that you have failover key managers defined to the KMS Cluster, you need to activate key mirroring between the primary key manager and each failover key manager. This is really easy to do, and you don’t need any third party products to implement key mirroring with Alliance Key Manager. Real time, active-active key mirroring is built right into the solution. You can SSH into the key manager, provide credentials, and then take the menu option to set up the primary or secondary key server. Answer a few questions and you will have key mirroring enabled between two or more Alliance Key Manager servers.

Our Alliance Key Manager solution implements full support for vSphere and vSAN encryption key management and has everything you need to get started. Adding encryption to your VMware environment is easy. VMware did a great job with this implementation of key management support and you can easily realize the benefits of protecting VMware infrastructure.

Alliance Key Manager documentation for vSphere can be found here.

You can download Alliance Key Manager and get started right away. Here is where to go to start the process.

Townsend Security will help you get started with vSphere and vSAN encryption. There is no charge for the evaluation or evaluation licenses and you will get access to the Townsend Security support team to ensure you have a successful project.

Patrick

New call-to-action

Topics: Alliance Key Manager, VMware

Encryption and Key Management - The SIX Mistakes that Startups and ISVs Make and How To Avoid Them

Posted by Patrick Townsend on Apr 18, 2019 1:27:59 PM

In our practice here at Townsend Security we engage with a lot of startups and mature ISVs who are trying to grow their business and customer base, leverage their technologies into new opportunities, and grow or migrate to the cloud. We know how difficult it is to start and grow a company, and what a wide set of business challenges have to be overcome. Our hats are off to every entrepreneur who has created a successful company, and every ISV who has kept it going!

Designing Applications with Encryption and Key ManagementI want to share a few thoughts on some pitfalls that can damage your ability to grow your company with a focus on the encryption of sensitive data. Too many promising companies flounder because of poor security implementations, and failing to get encryption right can lead to lost opportunities - maybe even the loss of that breakout sale you need to land a global company. Some early thought and planning about data security can help you weather your migration up the food chain and avoid such losses.

Number 1: Failure to encrypt sensitive data

The single biggest failure of data security is not doing it at all. Even in this age of massive public data breaches, and the damage that they do to companies of all sizes, most startups and ISVs are not implementing encryption of sensitive data. When product managers and developers work on their next big idea, they focus on exciting features in their product and often ignore the work it takes to implement encryption. They instead rely on access control lists and other mechanisms to protect data. These are, of course, important things to do. But the failure to encrypt sensitive data leaves a big hole in your security strategy.

What can go wrong if you haven’t implemented encryption? LOTS !!!

  • The publicity around a data breach can tarnish your reputation and kill opportunities.
  • The lack of encryption may cause compliance regulation failures making it impossible to enter new markets.
  • You may not be able to pass a security review of your software by that large global Enterprise.
  • You may not be able to enter government channels where encryption is a mandate.
  • If your customer experiences a data breach you may encounter substantial litigation costs that damage your financial resources and delay critical development.
  • You may fail to secure that next round of funding when an investor discovers the security gaps in your product.

When these kinds of events damage your ability to grow your company, it can be hard to mitigate them in a timely fashion. And you often won’t know about these dangers until you get fairly far down the road with your business plan.

Number 2: Failure to get key management right

For startups and ISVs who DO understand the need for encryption of sensitive data, the next biggest pitfall is the failure to protect encryption keys properly. Almost every database that supports encryption also supports the ability to protect the database encryption keys with a key manager. But that doesn’t mean that good key management is the default! In most cases the default database key management option is to store the encryption keys on the same server as the sensitive data. Sometimes the database will even store the encryption key locally and in the clear! So getting encryption key management right is critical to your security strategy. It won’t help to have encryption of your data enabled, and then have a cybercriminal steal your data along with the encryption key.

Related to key management here are some things to look for when you consider databases for your application:

  • Does your database have built-in encryption? Relying on third-party encryption solutions at the file/folder level will certainly cause deployment and scalability problems.
  • Does your database support integration with third-party key managers? If there is no easy way to integrate proper key management into the database, this will also cause deployment and technology delays.
  • Does your database support open standards for key management? For example, the Key Management Interoperability Protocol (KMIP) defines how applications like databases can easily integrate a key manager.
  • Does your database support key management failover? Remember that protecting encryption keys with a key manager also brings along the question of high availability and failover.

HINT:

If you are a startup be sure to choose a database that supports built-in encryption and proper key management. You have lots of good choices in both commercial and open source solutions. So go with a database with native, built-in encryption and key management!

Number 3: Failure to get FIPS 140-2 right

There are important standards and certifications for key management solutions. The most important of these is the National Institute of Standards and Technology’s (NIST) FIPS 140-2 standard. In addition to being a published standard, there is also a validation process for key management systems. The standard, and the validation to that standard, are critically important to your data security strategy. All professional key management solutions have been validated to the FIPS 140-2 standard and you should be sure to deploy a validated key management solution. This will help you avoid failing a security audit by that important new customer!

In addition to ensuring that your key manager is validated to FIPS 140-2, be sure that the entire key management solution is validated. There are many cases where the encryption library alone is validated to FIPS 140-2, but the key management application is not. It is good to have validated encryption, but that is just the start! Encryption key management has its own validation points and you will need both.

Snake Oil Alert !!!

Unfortunately, there are some key management solutions that make unwarranted claims about FIPS 140-2 compliance and validation. Here are a few warning signs to look for when you evaluate a key management solution:

  • A vendor makes compliance claims, but there is no validation. Some vendors claim to be “FIPS 140-2 compliant” but in fact have never completed a FIPS 140-2 validation. Security is hard, and unsubstantiated claims should be a red flag.
  • A vendor claims FIPS 140-2 compliance, but the validation is “in process”, but not complete. A security product can be “in process” for many months or even years. A claim of FIPS 140-2 compliance without actual completion should also be a red flag.
  • A vendor makes some claims of FIPS 140-2 validation, but research shows that the key management solution was not validated by that vendor.
  • A vendor makes a claim of FIPS 140-2 compliance, but the solution is only compliant when backed by a third party validated key management solution. In this case the vendor solution itself is not validated, but relies on the validation of another solution. You may be fooled into thinking that the solution itself is compliant when it is not. Especially watch for this pitfall with open source solutions.

You can always check a vendor’s claims of FIPS 140-2 compliance. Ask for the NIST FIPS 140-2 certificate number, and then Google it. NIST makes the validation certificate available to the public on their website. Copy and paste this into Google search:

NIST FIPS 140-2 certificate number 1449

That was easy!

Number 4:  Failure to make encryption and key management easy and invisible

Now that you are on the road to getting encryption and key management right, it is important to also make it easy and invisible. Your customers have a lot on their agendas, and becoming a key management expert is probably not one of them. So even if you follow the above advice and implement encryption and key management, do your customers a favor and make key management easy. The best way to do this is to bundle a key management solution into your product, and make key management automatic. You can still enable the configuration of an external key management system (some customers will want this), but you can really make it easy for most of your customers if you automate the key management tasks.

Automating key management is a great competitive advantage! One of our partners in the archival and backup space implemented this strategy and make great competitive wins on this feature alone! Their message was simple:

“We have encryption and key management. It is FIPS 140-2 validated. It is completely automatic so you don’t have to spend time fiddling around with a complex key management system.”

This strategy won them a lot of competitive deals and it was easy to talk about - and it shortened the sales cycle.  Of course, be sure that your key management solution supports this type of integration and automation!

Number 5:  Failure to segment customer data

As you move to the cloud and create shared, multi-tenant SaaS solutions, be sure to plan for and architect data segmentation into your solution. You will encounter large customers who will not want to have their data in the same space as other customers. They will want the additional security of segmenting their data into a virtual private cloud. With planning, your technical team can meet this kind of requirement, and help you close that very large deal.

Of course, a data segmentation plan requires a key management segmentation plan. For the same reasons customers want to segment their data, they don’t want to share key management with other customers. And they want to maintain full control of the key management implementation. So be sure to plan for customer-specific deployments of encryption key management and failover key management servers. A properly implemented data and key management segmentation plan will even allow for on-premise deployments that are “cloud ready.”

Number 6:  Failure to develop new market opportunities

Think about Amazon (the company) for a moment. At one point in their history they were an online bookstore. Today the company is very different. Amazon first leveraged its technologies to sell all kinds of products, and then created Amazon Web Services (AWS) to enable all of us to benefit from cloud technologies.

Are you thinking like Amazon? If not, you might be missing some big opportunities. Now that you have secure applications, are there lateral opportunities or technology licensing opportunities available to you? When you approach new opportunities and partners, don’t be afraid to talk about security. Regardless of what you’ve heard:

SECURITY SELLS!

Developing Applications with Encryption & Key Management

Topics: Encryption, Encryption Key Management, ISV, Partner

Townsend Security Announces Alliance Key Manager for VMware Cloud on AWS

Posted by Luke Probasco on Apr 9, 2019 12:01:00 AM

Alliance Key Manager for VMware Cloud on AWS provides customers with dedicated key management in AWS – with no access to encryption keys by cloud service provider (CSP).

Townsend Security today announced Alliance Key Manager is available to customers of VMware Cloud™ on AWS. VMware Cloud on AWS brings together VMware’s enterprise-class Software-Defined Data Center (SDDC) software and elastic, bare-metal infrastructure from Amazon Web Services (AWS) to give organizations consistent operating model and application mobility for private and public cloud. Alliance Key Manager for VMware Cloud on AWS enables the flexibility and security of a native VMware encryption key manager to customers of VMware Cloud on AWS.

As VMware users turn to VMware Cloud on AWS, they bring their sensitive data with them – customer names, email addresses and other personally identifiable information (PII). While compliance regulations require protecting this information, encrypting this data has been a challenge for organizations who want the flexibility and security of a native VMware encryption key manager. By deploying Alliance Key Manager for VMware Cloud on AWS, customers can achieve their security and efficiency goals in a cloud environment.

“With subscription and perpetual licensed options for the Alliance Key Manager for VMware Cloud on AWS, we have licensing options to fit the needs and budgets of our customers. Additionally, there are never extra fees for deploying additional nodes, databases or applications - giving your encryption strategy the freedom to scale without having to come up with budget for added licenses,” said Patrick Townsend, CEO & Founder, Townsend Security.

VMware Cloud on AWS technology partners enable customers to deploy the same proven solutions seamlessly in both the public and private cloud. VMware simplifies the deployment and eliminates the need for partners to refactor solutions for VMware Cloud on AWS. If a partner solution works on-premises in a VMware vSphere environment, it will easily support VMware Cloud on AWS. VMware technology partners complement and enhance native VMware Cloud on AWS service and enable customers to realize new capabilities.

“VMware Cloud on AWS provides customers a seamlessly integrated hybrid cloud offering that gives customers the SDDC experience from the leader in private cloud, running on the leading public cloud provider, AWS,” said Kristen Edwards, director, Technology Alliance Partner Program, VMware. Solutions such as Alliance Key Manager for VMware Cloud on AWS enable IT teams to reduce cost, increase efficiency, and create operational consistency across cloud environments. We’re excited to work with partners such as Townsend Security to enhance native VMware Cloud on AWS capabilities and empower customers with flexibility and choice in solutions that can drive business value.”

About VMware Cloud on AWS

Delivered, sold and supported by VMware and its channel partners as an on-demand service, and running on elastic, bare-metal AWS infrastructure, VMware Cloud on AWS is powered by VMware Cloud Foundation, the unified SDDC platform that integrates vSphere, VMware vSAN and VMware NSX virtualization technologies. With the same architecture and operational experience on-premises and in the cloud, IT teams can quickly derive business value from use of the AWS and VMware hybrid cloud experience. For more information on the VMware Cloud on AWS partner ecosystem, visit: http://cloud.vmware.com/vmc-aws

Townsend Security‘s product information, collateral and other assets are listed within the online VMware Solution Exchange at https://marketplace.vmware.com/vsx/solutions/alliance-key-manager-for-vmware-cloud-on-aws-4-60?ref=search. The VMware Solution Exchange is an online marketplace where VMware partners and developers can publish rich marketing content and downloadable software for our customers.

# # #

VMware, VMware Cloud, vSphere, Cloud Foundation, vSAN, and NSX are registered trademarks or trademarks of VMware, Inc. in the United States and other jurisdictions.           

New call-to-action

Topics: Press Release, Alliance Key Manager for VMware Cloud on AWS

RSA vs AES Encryption - A Primer

Posted by Patrick Townsend on Mar 25, 2019 8:10:41 AM

If you are new to encryption you might be asking yourself, "what is the difference between RSA encryption and AES encryption, and when should you use them?" It’s a great newbie question, so let’s go exploring.

eBook: Definitive Guide to Encryption Key ManagementAES stands for Advanced Encryption Standard and is in wide use around the world. It falls into a class of encryption methods called “symmetric” encryption. That is, the same secret (an encryption key) is used to encrypt the data, and also used to decrypt the data. AES encryption is probably the most widely used encryption method for protecting data at rest. You will find it used in self-encrypting disk drives, database encryption, storage encryption, and so forth. It’s been around since about 2002, and it is an international standard. Roughly speaking, when you encrypt with AES you put data and the secret encryption key into software that implements AES encryption, and out comes the encrypted data. When you want to use that data you put the encrypted data and the same encryption key into the software, and out comes the original data that you can use.

There are other symmetric key encryption algorithms, and we’ll discuss that a bit below.

RSA encryption is named after the three inventors of the encryption method: Ron Rivest, Adi Shamir, and Leonard Adleman. RSA falls into a class of encryption methods called “asymmetric” encryption. The name asymmetric follows from the fact that there are two related secrets, or keys, used for encryption. One is called a public key, and the other is called a private key. The keys are related in the sense that if you encrypt with the public key, you can only decrypt with the related private key. And the reverse is true, too - If you encrypt with the private key, you can only decrypt with the associated public key. The math is pretty amazing and involves very large prime numbers and factorization. RSA keys are usually used when you have two physically separate endpoints. RSA encryption is often used in web browsers to connect to your favorite websites, in VPN connections, and in many other applications. We use asymmetric encryption every day.

There are other asymmetric encryption algorithms, and we’ll mention a few later.

So, when do we use AES encryption?

AES encryption is great when we have a constrained environment. For example, if we encrypt data in a database, we will decrypt data when we need to access the database. Another example is hard drive encryption - we encrypt the data written to the disk, and decrypt it when we read from the disk. Encryption and decryption will take place on the same platform and in the same context. AES encryption is great for this particular use case. That is why it is commonly used for protecting data at rest.

When do we use RSA encryption?

RSA encryption is really great when we have two physically or geographically different end-points. If I am encrypting data in San Francisco, and you are decrypting it in Dubai, I am likely to use RSA encryption because it is ideal for two separate end-points. I can encrypt data with an RSA public key at the originating end-point, send it over an unsecure web connection, and decrypt it with the RSA private key at the destination end-point, and not worry about who might intercept it in the middle. The unique public / private key aspects of asymmetric encryption helps us be secure when we are separated by many miles of insecurity and hostile internet territory.

Performance and how this affects the use of RSA encryption

RSA encryption is great for protecting the transfer of data across geographic boundaries. But we have a bit of a problem with RSA encryption - it is really poor from a performance perspective. I might want to send you my sensitive file, but encrypting that with RSA is going to be difficult due to the low performance of RSA encryption. No problem! You can combine RSA encryption with AES symmetric encryption to achieve the security of RSA with the performance of AES. This is normally done by generating a temporary, or session, AES key and protecting it with RSA encryption.

Other symmetric algorithms

AES is not the only symmetric encryption method. The older, and still standard, Triple DES (Data Encryption Standard) method is still in wide use. Triple DES is an accepted standard even though it is older than AES. However, for any new applications you should avoid the use of TDES (also called TDEA) encryption and it is likely to be deprecated as a standard soon.  Other encryption algorithms exist, such as Two Fish, Blow Fish, Ghost, and others. While they may be good encryption algorithms, they have not achieved the status of accepted standards, and so you should avoid them.

Other asymmetric algorithms

RSA is the granddaddy of asymmetric algorithms. But is is not the only accepted standard for asymmetric encryption. Elliptic Curve Cryptography (ECC) is also in wide use (usually combined with a symmetric algorithm) and is an accepted standard for asymmetric encryption. It performs better than RSA, but still lags AES in terms of performance. You should feel comfortable using ECC for asymmetric encryption needs.

AES encryption and modes of encryption

While AES encryption is the most commonly adopted encryption method, you should be aware that there are multiple modes of operation that can be used with AES. These are also specified in the standards. The raw AES mode of operation is called Electronic Code Book, or ECB. Because raw AES in ECB mode can leak pattern information when encrypting large amounts of data, it is common to use a mode of encryption that incorporates an initialization vector. The Cipher Block Chaining (CBC) mode of AES encryption is very common, as is Counter (CTR) mode. For storage devices it is common to find the XTS mode of encryption used. If data corruption is of concern, you might find the Galois Counter Mode (GCM) in use.

The evolving world of encryption

The world of encryption is always evolving. Cryptographers are working on new algorithms and improvements to existing algorithms to meet the challenges of high performance computing and quantum computing. It is an exciting time for cryptography and encryption key management. For now, you should always stick to published standards like AES, RSA and others mentioned here. Doing so brings the benefits of a consensus among a world-wide group of cryptographers, and keeps you in alignment with many compliance regulations.

Please let me know if you have any questions.

Patrick

eBook: Definitive Guide to Encryption Key Management

Topics: Encryption

Encryption Service Performance with Alliance Key Manager

Posted by Luke Probasco on Mar 18, 2019 10:31:02 AM

For applications that require the highest level of security, developers can use the on-board, NIST-compliant encryption and decryption services on Alliance Key Manager, rather than encrypting at the application or database level. Under this strategy, encryption keys never leave the key manager. With on-board encryption services, small chunks of data, such as credit card numbers, Social Security numbers, e-mail addresses, etc are encrypted on the server (physical HSM, VMware, or virtual appliance in the cloud). Because data is securely transferred to the key manager for encryption, it is recommended for smaller amounts of data. For larger amounts of data, it is still recommended to encrypt at the database or application level.

Using an Encryption Service
Businesses can use onboard encryption effectively to improve their security posture and reduce their attack surface. This strategy is helpful in situations where they don’t want to expose the encryption key in their application or server environment. For businesses who have their data in the cloud, this also alleviates the risk of exposure of the encryption key in cloud memory.

Encryption Service Performance
The performance of an encryption service is one of the biggest concerns that businesses have when taking this approach to protecting data. To shed some light on these concerns, we did some testing using our Java SDK on small blobs (<16KB) and with our .NET Key Client for large blobs.

Small Blob Performance
Quant. | avg enc/dec | avg rate
< 1KB | 48ms | 21 ops/sec
3KB | 50ms | 20 ops/sec
5KB | 51ms | 20 ops/sec
7KB | 52ms | 19 ops/sec
10KB | 53ms | 19 ops/sec
16KB | 55ms | 18 ops/sec

As a general metric, it is fair to say that for small pieces of data, the average latency for AES encryption (using CBC mode) is 50ms, yielding a rate of 20 operations per second.

Large Blob Performance

The results of testing with the .NET Key Client for large blob:

Quant | Avg. enc. time
1MB | 462 ms
2MB | 535 ms
5MB | 949 ms
7MB | 1.16 s
10MB | 1.74 s
15MB | 2.34 s
25MB | 3.61 s
50MB | 7.60 s
70MB | 10.65 s

This can be represented as a graph:

Seconds vs Size

Taking this data and calculating the rate at which Alliance Key Manager is encrypting data, we were able to generate this graph:

AKM size of data being decrypted
The horizontal axis is the size of the data being encrypted--the larger the file, the more likely it will approach maximum speed. For encrypting small pieces of data, the process of establishing a connection to Alliance Key Manager and sending the data vastly outweighs the actual encryption, so the rate shows as very low. It spikes up to about 6.5 MB/s when the size of the data is around 5MB--larger than that, and the time to encrypt can be predicted using that rate.

The major take-away: encrypting large blobs on AKM using the .NET Key Client occurs at a rate of 6.5MB/s. It is likely that the Java SDK, and other SDKs, would have about the same level of performance. This data was compiled on an AKM with 1CPU and 2GB of memory. Doubling those resources yields a small increase in performance--up to 6.9 MB/s .

Conclusion

While there are performance impacts when encrypting large amounts of data with an encryption service (as opposed to encrypting an entire database or column within), it does provide improved security on smaller amounts of data for business wanting to minimize their encryption key exposure. Further, by utilizing Townsend Security’s encryption service, businesses can have confidence that they are protecting their data with NIST-compliant AES encryption. NIST compliance means that the encryption implementation has been reviewed by an independent testing lab who reports the results to NIST for validation.

eBook: Definitive Guide to Encryption Key Management

Topics: Alliance Key Manager, On-Board Encryption

Don’t Forget About FIPS 140-2 and Other Fundamental Key Management Features

Posted by Luke Probasco on Jan 28, 2019 1:04:00 PM

Over the last several years, encryption key management has attained “essential infrastructure” status. When done properly, key management can protect encrypted data - and in the event of a data breach, can even provide a company with an exemption for a breach notification.

Don't Forget FIPS 140-2 and Other FundamentalsI recently sat down with Patrick Townsend, Founder and CEO of Townsend Security to talk about encryption key management and the importance of standards, what to look for in a key manager, and fundamental features of an enterprise grade key manager. While Townsend Security isn’t alone in the key management game, there are a few telltale signs that differentiate a key manager that meets industry standards and one that will leave you with a breach notification on your hands. Let’s jump in.

Hi Patrick. Townsend Security has been in the key management game for close to 10 years now. Back when Alliance Key Manager was brought to market, people weren’t really sure what key management was. Now it is considered essential infrastructure.

Yes, it sure is. Things have changed so dramatically over the last few years. Encrypting sensitive data is now a requirement for businesses who need to meet data privacy compliance regulations. And it is also achieving visibility at the executive level as a part of a GRC (governance, risk, compliance) plan. The landscape really has changed a great deal, and I think organizations are stepping up and doing a better job.

We are also seeing databases implementing encryption directly into the database engine. MongoDB Enterprise is an excellent example of this by incorporating AES encryption into the WiredTiger storage engine and providing KMIP for good key management. Microsoft SQL Server Enterprise has also built the encryption engine right into the database with transparent data encryption (TDE) and provides extensible key management (EKM) for vendors like us to plug in to and allow users to properly manage encryption keys.

Let’s spend a minute on compliance. What regulations require key management?

It is true that there are a lot of compliance regulations and most of us fall under multiple. Certainly, GDPR and the new Australian law have come on board and are affecting the way companies all over the world, even outside of the EU, who are now taking steps to protect that data. Almost all regulations require the protection of data, which encryption can help with. Regarding encryption, from a best practices point of view, if you don’t have proper key management, you don’t have encryption.

PCI DSS and the payment industry has now been with us for a decade and that also drives the protection of a lot of sensitive data. While PCI DSS is a private regulation between merchants who accept credit cards and the industry, it is a strong regulation with strong penalties. Because of the longevity and focus on security, PCI DSS often informs other regulations and corporate governance boards.

While we live in a very complex set of compliance requirements, there are fortunately some similarities. When we set out to protect sensitive data, and do it right, which I am sure you know by now means based on standards and security best practices, we find business meeting a broad set of regulations.

As I mentioned earlier, key management is considered essential infrastructure. Back when Townsend Security first entered the market, there were just a few options for the enterprise to choose from. Today, options have dramatically increased. With that said, there are a few ways to distinguish a key manager that meets industry standards and one that will leave you with a breach notification on your hands.

There are a few key quality indicators when assessing key management systems. First off, a key management server must be validated to FIPS 140-2. That is the US and Canadian standard for cryptographic modules and it is just a fundamental indicator of the seriousness of a company and its ability to build good key management solutions. Unfortunately, there are claims of FIPS 140-2 compliance by vendors who have systems which have actually not completed a validation. It’s always a good idea to ask your key management vendor what their certificate number is so that you can look it up yourself on the NIST website. Additionally, key management vendors should be able meet KMIP requirements by demonstrating interoperability. These sorts of validations and certifications show that a key management vendor is stepping up to the technical requirements that customers expect.

Finally, there are individual specific validations to regulations. Our key manager, for example, has been through a PCI DSS validation with a QSA auditor and with VMware. You want to avoid solutions that are simply “key storage” which haven’t been validated and there has not been external review and validation of the cryptographic approach. It is incredibly easy to get encryption and key management wrong from a technical point of view.

Third-party attestations and validations are critically important. You are putting your digital assets, not to mention your company’s reputation, at risk when you use a poor quality key management server (KMS). Fortunately, today there are very affordable solutions available everywhere from a traditional hardware security module, to VMware, to the cloud. 10 years ago, key management servers where terribly expensive.

Yeah, I have been seeing key managers hitting the market that range from open source to cloud service provider (CSP) provided. Some key managers will even claim FIPS compliance when a simple check with NIST shows them nowhere to be found. You also get providers who claim FIPS compliance because they are using a module that has been through a validation, which as I am sure you can tell us more about, doesn’t make your solution compliant.

That’s right. Unfortunately, there is still a fair amount of snake oil in the industry. People claim FIPS 140-2 compliance, but haven’t fully been through the process. As you mentioned, claiming one component as being FIPS 140-2 compliant does not make your entire solution compliant. I like to say, “I drive a Toyota. If I put a Jaguar hood ornament on my car, it doesn't turn my car into a Jaguar. It is still a Toyota!” There is a lot of language used by some solution providers that just isn’t accurate and should be verified before choosing a solution.

You also talked about governance. Let’s take a look at the recent Marriott/Starwood breach. There was an interesting statement where they said “we can’t be absolutely sure that the encryption keys weren’t lost.” If you are using enterprise level key management systems, you have monitoring and audit trails that will show if keys have been retrieved. By them not knowing, it is easy to surmise that they weren’t adequately protecting our information. This was a failure of governance in regards to critical security infrastructure. We might not be talking about the breach right now had they had industry standard key management in place.

Changing gears a little, we have in the past seen cloud vendors offer key management systems in their shared environments. Multi tenant key management presents a concern for enterprises. Just last week I had a conversation with a security professional from a global enterprise who said, “for us, trust is paramount to our brand. We will never allow encryption keys to be stored and accessed by a cloud vendor.” I thought it was a very interesting statement and completely lines up with other enterprises that I speak with.

There is also a bit of confusion on the term KMS. For example, VMware defines KMS as a Key Management Server. Amazon, on the other hand, defines their KMS as a “Key Management Service.”

Well, there is a bit of confusion on this isn’t there? A true enterprise key management system (KMS), is responsible for the entire lifecycle of an encryption key - from generation where admins create provably strong keys, to storage, to provisioning applications and users who need the keys, all the way through to the archival and destruction of the keys. Key management systems manage all of those phases according to industry standards.  

A key management service can better be defined as storage service and offers a mix of capabilities. Some are services that are shared, multi-tenant environments. CSP key managers often work this way (think AWS KMS, Azure Key Vault). Many services don’t give you full access or control over a key’s complete lifecycle. Some services allow you to bring your own key, but then bring that into their own infrastructure, where you then share administrative access and control.

It is very important to know that if you are truly trying to do security the right way, you need a key management system that is built to industry standards and validated to industry standards. One last point, it is possible to do key management correctly in the cloud. There are third-party key management offerings that can be found in the marketplace that meet all the standards that we have been talking about, and are dedicated to you and only you. Our Alliance Key Manager is one, for example.

A feature that we are very proud of with our key manager is that it runs the same software in the Cloud, VMware, or as a traditional hardware security module (HSM). We have customers setting up hybrid cloud/on-prem deployments or even cross-cloud. The way we license our key managers works really well for the modern enterprise which needs a predictable, low TCO. With Alliance Key Manager, there are never added fees for additional databases or applications.

To hear this conversation in its entirety, download our podcast Don’t Forget About FIPS 140-2 and Other Fundamental Key Management Features and hear Patrick Townsend further what enterprises should look for in a key manager, the importance of standards, and other fundamental features of an enterprise grade key manager.

Don't Forget FIPS 140-2 and Other Fundamental Encryption Key Management Features

Topics: Encryption Key Management, FIPS-140

Townsend Security and Alliance Key Manager Achieves VMware Ready™ Status

Posted by Luke Probasco on Jan 22, 2019 12:01:00 AM

Townsend Security, today announced that its Alliance Key Manager for VMware has achieved VMware Ready status. This designation indicates that after a detailed validation process Alliance Key Manager for VMware has achieved VMware’s highest level of endorsement and is supported on VMware ESXi  (all supported versions, vSphere 6.5 and later, and vSAN 6.6 and later) for production environments.

Encryption and Key Management for VMware - Definitive Guide“We are pleased that Townsend Security and Alliance Key Manager for VMware qualifies for the VMware Ready logo, signifying to customers that it has met specific VMware interoperability standards and works effectively with VMware cloud infrastructure. This signifies to customers that Alliance Key Manager for VMware can be deployed in production environments with confidence and can speed time to value within customer environments,” said Kristen Edwards, director, Technology Alliance Partner Program, VMware.

By using Alliance Key Manager for VMware with VMware ESXi (all supported versions, vSphere 6.5 and later, and vSAN 6.6 and later) organizations can centrally manage their encryption keys with an affordable FIPS 140-2 compliant encryption key manager. Further, they can use native vSphere and vSAN encryption to protect VMware images and digital assets at no additional cost. VMware customers can deploy multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability.

“By achieving VMware Ready status with Alliance Key Manager for VMware, Townsend Security has been able to work with VMware to bring affordable encryption key management to VMware customers and the many databases and applications they run in VMware,” said Patrick Townsend, CEO of Townsend Security. “Meeting data security compliance in VMware vSphere is now easier than ever.”

The VMware Ready program is a co-branding benefit of the Technology Alliance Partner (TAP) program that makes it easy for customers to identify partner products certified to work with VMware cloud infrastructure. Customers can use these products and solutions to lower project risks and realize cost savings over custom built solutions. With thousands of members worldwide, the VMware TAP program includes best-of-breed technology partners with the shared commitment to bring the best expertise and business solution for each unique customer need.

Townsend Security and Alliance Key Manager for VMware can be found within the online VMware Solution Exchange (VSX) at https://tsec.io/VMwareReadyPR. The VMware Solution Exchange is an online marketplace where VMware partners and developers can publish rich marketing content and downloadable software for our customers.

VMware, VSXi, vSphere, vSAN and VMware Ready are registered trademarks or trademarks of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

New call-to-action

Topics: Encryption Key Management, VMware, Press Release, vSphere, vSAN

2018 SQL Server Encryption Survey

Posted by Ken Mafli on Jan 21, 2019 6:51:00 AM

This last November (Nov. 6-9, 2018) we had a chance to participate in the 20th annual PASS Summit in Seattle as an exhibitor. It was a great time as SQL Server professionals from around the world attended. We had an opportunity to ask them about their company's encryption and key management practices. Below are the results as well as some expert weigh-in on the findings. Enjoy!

 

SQL-Server-Survey-2018

 

A special thanks to our contributors for their expertise and guidance. You all are clear-minded professionals that have a lot to offer those looking to better secure their data:

-Sebastian Meine, Ph.D., sqlity.net
-Steve Brown, Rutter Networking Technologies
-Tim Roncevich, CyberGuard Compliance
-Sharon Kleinerman, Townsend Security
-Patrick Townsend, Townsend Security

If you are looking to protect your encryption keys for your sensitive data in SQL Server, you need a FIPS 140-2 compliant centralized key manager that:

  • Never charges you additional fees for connecting a new end-point.
  • Never limits the number of end-points based on the model of the KMS.
  • Never limits the number of encryption keys generated or stored.
  • Never forces you to pay extra fees for software patches.
  • Never forces you to pay extra fees for routine software upgrades.
  • Always gives you unmatched customer service.
  • Always protects your keys, 24/7.

You need Alliance Key Manager for SQL Server.

Alliance-Key-Manager-for-SQL-Server 

 

 

Topics: Key Management, Extensible Key Management (EKM), SQL Server 2008, Microsoft, Info-graphic, SQL, Encryption Key Management, SQL Server, Transparent Data Encryption (TDE), SQL Server encryption

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all