+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Don’t Let Your Application or Database Limit Your Encryption Strategy

Posted by Luke Probasco on Sep 23, 2019 8:37:27 AM

Historically, encryption and key management have been deployed at the application or database level. There are even several databases who’s “Enterprise” edition (like Microsoft SQL Server or MongoDB, for example) include options for encryption and external key management built right in the database. Unfortunately, these types of databases are the exception, rather than the rule. If you were to examine an organization's IT infrastructure, you are more likely to find a wide variety of databases and applications, some natively supporting encryption, some not, and many containing unprotected private information or personally identifiable information (PII). Simply put, their encryption strategy has been limited due to cost and resources required to properly protect private information. 

Podcast: Don't Let Your Application or Database Limit Your Encryption StrategyFortunately, these same enterprises have deployed VMware infrastructure, and starting with vSphere 6.5 and vSAN 6.6, are able to encrypt sensitive workloads in VMware using the advanced cryptographic features in vCenter. To put it a little more simply, businesses can protect their sensitive information in their internal applications and databases that don’t natively support transparent encryption with tools offered by VMware.

I recently sat down with security expert and CEO, Patrick Townsend, to talk about how enterprises can leverage VMware’s vSphere and vSAN to encrypt private data - regardless of whether their applications or databases support encryption. 

Hi Patrick. Let’s jump right in. With the introduction of vSphere encryption in 6.5 and vSAN 6.6, it has become much easier for businesses to encrypt private data. In the past they have relied on encryption at the application level or used the encryption that comes with their database. With so many enterprises deploying VMware, they no longer need to let their application or database limit their encryption strategy.

That’s absolutely correct. There are databases like Microsoft SQL Server and MongoDB EA, for example, that have encryption built right in - which makes it easy. But there are other times when encryption can be much more difficult. SQL Server Standard edition and the Community edition of MySQL, for example, do NOT support encryption. So, you have these widely used databases, with lots of unprotected data because that can be a challenge to encrypt. Using vSphere and vSAN encryption is a great way to address these gaps in an organization's encryption strategy with industry standards-based encryption. 

Sometimes the barrier to encryption is the cost of upgrading databases to “Enterprise” editions. Almost all of us are running VMware in our infrastructure anyway, so in many cases we already have the tools we need - the encryption support is there, we just need to use it. VMware even provides excellent guidance for encrypting databases, like Oracle and SQL Server, for example.

So, one of the most obvious questions. How is performance?

This is always a concern that people bring up. I can say that VMware has done a great job with performance in both encrypted VMs and vSAN - and performance continues to improve. These days, you can even deploy a large database on vSAN. This is a technology that has matured and gained the trust of customers, and they are adopting it at a rapid rate. There is also some really good material from VMware about performance expectations - white papers, solutions briefs, etc. Furthermore, both vSphere and vSAN take advantage of the Intel AES-NI on-chip accelerator for encryption, which provides a great performance boost.

Of course the key manager is the critical component that ensures the encrypted data stays encrypted. Without proper key management, it is like leaving the keys to your house under the welcome mat. What should our readers be looking for in a key manager?

Here is something that I think VMware did right. You must use a key manager in order to activate vSphere encryption of VMs or vSAN encryption. Within vSphere you are able to create a KMS cluster, define failover key managers, multiple KMS clusters, etc. They did a great job. Furthermore, VMware based their interface on the Key Management Interoperability Protocol (KMIP) industry standard. Other databases vendors, for example, allow local storage of encryption keys. That is really such a BAD security practice, so I am glad that VMware saw implications of that. If you are going to use VMware encryption, you are going to use proper encryption key management and that will be much better from a security perspective. I also think that this reflects on VMware as a company and their concern for their enterprise customers.

What to look for in a key manager? All enterprise level key managers are validated to FIPS 140-2 by the National Institute of Standards and Technology (NIST). Be absolutely sure you key management vendor has completed this validation. Secondly, your key manager should support the KMIP protocol. Finally, if you are taking credit cards for payments, look for a PCI validation. We validated our Alliance Key Manager with both Coalfire and VMware, as a joint project. This helps our customers easily get through an audit, which can be quite difficult.

While I have you, I was hoping you could also offer some clarification on the term KMS. For example, VMware defines KMS as a Key Management Server. Amazon defines their KMS as a “Key Management Service.” How should our readers be thinking about a KMS in regards to VMware encryption?

Ah, the chaos of three letter acronyms. KMS, in general terms, means Key Management Server. It is a broad term covering key management devices that manage the entire lifecycle of a key - from creation to destruction. You are right, Amazon does call their key management service KMS, which can lead to some confusion. This service is NOT to be confused with a key management server - and does not give you full control over the entire key lifecycle. It is a shared administrative environment where you share access to the keys with Amazon.

You need to approach cloud service provider (CSP) implementations of key management services with trepidation. It is important for YOU to hold exclusive access to your keys and that only you have the only administrative control. Cloud lockin can be another concern as well.

To hear this conversation in its entirety, download our podcast Don’t Let Your Application or Database Limit Your Encryption Strategy and hear Patrick Townsend further discuss Encrypting applications and databases that don't natively support encryption, encryption performance, and other fundamental features of an enterprise grade key manager.

[Podcast] Don't Let Your Application or Database Limit Your Encryption Strategy

Topics: Encryption Key Management, VMware, vSphere, vSAN

Are Encryption and Key Management Critical to Blockchain and DLT?

Posted by Patrick Townsend on Sep 16, 2019 6:51:24 AM

As blockchain technologies make their way towards general acceptance in private and public sector IT systems, the critical issues of governance, risk management and compliance come into play - and blockchain teams are maturing to address these areas. One important gap to fill involves the proper protection of sensitive data in a blockchain deployment. It seems odd to discuss data protection in the context of blockchain. Isn’t blockchain based on cryptography? Yes, it is, but there remains a gap in the area of data protection. Let’s delve into this in more detail.

What Data Needs to be Encrypted in the Blockchain Ledger?Blockchain’s innovative way of linking transactions and guaranteeing their immutability in a distributed ledger is based on well known and respected cryptographic algorithms and processes. The ability to extend this level of assurance across a large number of widely distributed nodes is clearly an amazing extension of modern computing. While there have been security lapses in public blockchain implementations, these have generally been related to improperly securing credentials and mistakes in implementing chaincode. Blockchain methodologies are standing up well to external attacks.

One important aspect of blockchain is its transparency. That is, everyone has perfect visibility into the transactions on a ledger and their current validity. This transparency is a core feature of blockchain - and that leads to a problem:

Some data that we want to put on the blockchain is sensitive, and we may not want to expose it to others.

There are lots of reasons why we might not want some information on the blockchain ledger to be transparent:

  • An organization’s reputation suffers when they lose or expose sensitive information. This is true for both public and private organizations and a significant loss of reputation is difficult to mitigate.
  • Even little bits of data in blockchain transactions needs to be protected. When sensitive data in a blockchain ledger are aggregated, it can indicate the direction of a business’s activity and leak important information about strategic developments to it competitors.
  • Compliance regulations prevent storing sensitive personal information in the clear. The PCI Data Security Standard mandates that credit card (Primary Account Numbers) be encrypted. The New York Department of Financial Services (23 NYCRR 500) requires the encryption of certain sensitive information. The EU General Data Protection Regulation (GDPR) mandates the protection of sensitive information of “Data Subjects”. here are other regulations that require or recommend protection of sensitive data.
  • Digital assets that represent intellectual property need to be protected from cybercriminals and state actors. The loss of key intellectual property can be devastating to a startup or mature enterprise.

Therefore, it is critical for organizations to design proper data privacy into blockchain projects from the very beginning. It is painful and potentially impossible to fix data privacy gaffs after the fact.

Blockchain SecuritySome blockchain advocates suggest that the solution to this conundrum is to not place sensitive information on the blockchain at all. But this is an impossible goal. Data on a blockchain may not specifically identify an individual, but may contain enough information that it can be combined with previously leaked information to form a full picture of an individual. Remember that hackers are really good at data aggregation. Losing a little sensitive information can lead to an embarrassing loss of a lot of information.

Other blockchain advocates suggest that the answer to this problem is to store sensitive data off of the blockchain altogether. But does this really solve any problem? This approach loses the many advantages of blockchain technology, and doesn’t do anything to solve the data protection puzzle. “Out of sight, out of mind” is not a solution to any problem.

Some blockchain implementations attempt to achieve privacy through “add on” features. Hyperledger channels and collections are two examples of this. These facilities use access controls to attempt to achieve this. As good as these facilities are, access controls will not address the data protection requirements of compliance regulations, nor provide other protections that encryption provides.

For all of the reasons we encrypt sensitive data in traditional databases, we need to encrypt sensitive data on a blockchain. This doesn’t mean that we have to encrypt everything that we put on the blockchain ledger, but it means we have to have the same intelligence in regard to sensitive data on blockchains that we have in the most secure systems today.

Fortunately, we can accomplish data protection on blockchains and maintain their usefulness. In fact, not only CAN we accomplish this, we MUST accomplish this in order to preserve the usefulness of blockchain technology.

If we are going to encrypt data that we put on a blockchain, we have to address a few requirements that are specific to blockchains:

  • We have to use industry standard encryption algorithms, such as AES, to meet compliance regulations.
  • We have to manage encryption keys using industry standards and best practices. This means storing encryption keys away from the blockchain ledger and doing so in a provably standard and secure way.
  • We have to make encryption keys available to the users and smart contracts that need them. This is a challenge in a distributed blockchain environment.
  • We must authenticate user’s authority to use encryption keys.
  • We must have a mechanism for restricting access to encryption keys, and for granting and revoking access to those keys.
  • We know how to accomplish these tasks in a traditional, centralized IT system. Years of work have produced standardized approaches to encryption. But blockchain presents real challenges to meeting these challenges.

Fortunately, innovation in the area of protecting data on a blockchain ledger is advancing.

At BlockNKey we built a key orchestration system architected from the ground up for distributed ledger technology. NIST compliant encryption and key management, a key vault, and key access control are built into each registered blockchain node. Cryptographic keys grant permission to whomever is permitted access to the data, how it’s accessed and when it’s accessible. This enables multi-party access to the appropriate data in real time through verified and validated access points. BlockNKey is compatible with public and private blockchains while enabling proper data security with easy to use REST APIs. It will even help you if you are storing sensitive data “off chain”.

Townsend Security has partnered with BlockNKey to bring an encryption and key management solution to blockchain users. More information here.

What Data Needs to be Encrypted in the Blockchain Ledger?

Topics: Blockchain

2019 Encryption Key Management Survey Results

Posted by Ken Mafli on Sep 11, 2019 9:56:26 AM

Recently, we here at Townsend Security had the opportunity to poll the fans of our Newsletter to see how folks are doing with encryption and key management for their data-at-rest. We conduct this survey, and surveys like it, so that the larger InfoSec community can get a snapshot of how businesses, in general, are doing in securing their sensitive data. Below are a few key findings, hope you enjoy!

 

Overall Results

Using Encryption

First, the good news: 73% of respondents report that they encrypt their sensitive data while at-rest. This makes sense as all the respondents are fans of our Newsletter; the group is a little self-selecting in that they have already expressed an interest in data security. Of course, we would like to see the number at 100%, but that would mean our work is already done—and we know we still have a long way to go.

To give a bit of perspective, we conducted two additional surveys that represent a more general audience that we published, here and here. In those two surveys the adoption rate for encryption is closer to 50%. So, hats off to our fans for being above the curve!

Using Key Management

Now, the bad news: Only 50% of respondents say that they use proper key management to secure their encrypted data-at-rest (again, a little self-selecting in that, as part of the reason they like our Newsletter is that they are learning more about key management). Interestingly, even if you adjust the data to only look at those who replied that they do use encryption, the number only jumps to 66%.

As a comparison with the wider community, only about 30% of respondents in our other two polls (referenced above) said that they use encryption key management to securely manage their keys.

Expert Weigh-In: Patrick Townsend, CEO of Townsend Security
"Encryption is not enough. In order for encryption to be secure, the keys must be properly managed—100% of the time. If you don’t properly manage your encryption keys, it is like placing your house keys under your welcome mat. Every good thief knows to look in the obvious places for easy entry. Hackers do as well."

 

Encryption and Key Management Use, per Database/Blob Storage

Using Encryption per Database

It is no surprise to see that, overall, if a database/blob storage reports a rise/fall in the use of encryption, there is also a corresponding rise/fall in the use of proper key management. What is interesting, however, is the databases/blob storage where the respondents reported the widest gap in adoption of key management in comparison to the adoption of encryption. Here are the top five databases and their corresponding adoption gaps:

Database Gap in Encryption to Key Management Adoption
SharePoint: 40%
SAP: 28%
SQL Server Enterprise Edition: 26%
MySQL, SQLite, PostgreSQL, etc: 26%
MongoDB: 24%

 

Encryption & Key Management for SQL Server - Definitive GuideWhat may or may not be surprising is that SharePoint leads the pack in lack of key management adoption (compared to encryption adoption) and SQL Server Enterprise Edition comes in third. SharePoint is built on top of Microsoft SQL Server as its datastore (for structured data, at least). For SQL Server 2008 Enterprise edition and up, you now have the ability to not only take advantage of SQL Server’s Transparent Data Encryption (in SharePoint and SQL Server), but you also can leverage the power of a third-party encryption key manager using Extensible Key Management (EKM). This means it is incredibly easy to not only deploy encryption but also proper manage the encryption keys.

What is less surprising is the other three that made the top of the list. All these come with free editions that do not come with encryption libraries, let alone the ability to properly manage the keys. So anyone spinning up a free version of these databases will, by their very nature, not be able to secure their data.

Expert Weigh-In: Tim Roncevich, Partner at CyberGuard Compliance
"Many Enterprise editions of databases come with robust AES encryption and a way for a third-party vendor to manage the encryption keys. If you are storing sensitive data in an open-source, or free, version of a database, upgrade today. Hacks similar to the Cathay Pacific breach of 2018 were due to the company not upgrading to the Enterprise edition to take advantage of the encryption and key management that were available to them."

 

What Virtualization Do You Use?

Virtualization Used

About three-quarters of respondents said that they use VMware in their environment. The other quarter reported using Hyper-V, Red Hat Virtualization, Citrix Hypervisor, or KVM. Less than 10% said they used multiple virtualization platforms.

This is great news for the majority of businesses, then, in terms of encryption and key management. VMware’s vSphere 6.5 and up come with encryption ready to use. Not only that, but using a third-party encryption key manager is easy to set up and deploy.

Expert Weigh-In: Sharon Kleinerman, Director of Sales at Townsend Security
"For those organizations struggling to secure their data-at-rest with encryption and key management, doing so has never been easier. If you have VMware 6.5 and above, you simply set up your third-party key manager through vSphere’s KMS Cluster KMIP interface, tell vSphere which VMs you want encrypted, and your data is encrypted. Same with vSAN. It really is easy to encrypt with VMware as your virtual environment."

 

Backup & Recovery Solutions

Backup and Recovery Used

Backup and recovery solutions are an integral part of business continuity. In fact, Allied Market Research estimates that the market will grow by almost 25% year over year through 2023. In the next few years, however, Gartner estimates that 50% of companies will augment or replace their current backup solution with another.

Our findings fall roughly in line with Gartner’s research. According to our survey, about 40% of respondents say they will, or don’t know if they will, replace their current backup and recovery solution.

Expert Weigh-In: Steve Brown, Partner at Rutter Networking Technologies
"For those thinking of switching your B&R solution, it is important to make sure that the solution you are switching to provides encryption and a way to manage your encryption keys. Encryption should not be an afterthought. Instead, it should be one of the main drivers as to why you would either stay with your current solution or look farther afield."

 

Conclusion

The rate at which data breaches are happening is not slowing down. We all know this. But the adoption rate of best practices is still lagging. While it is heartening to see our blog’s fanbase beating the overall average for using encryption and key management to secure sensitive data-at-rest, We still have a long way to go.

The good news, it is easier than ever to adopt best practices. If you are thinking about truly defending yourself with a defense-in-depth strategy, talk to us today.

 

Encryption

 

Topics: Encryption Key Management

VMware vSAN Encryption for Compliance

Posted by Patrick Townsend on Aug 30, 2019 9:06:56 AM

Many VMware customers know that they can encrypt their virtual machines that are managed with vSphere and other VMware tools. VMware vSAN encryption can also provide important protections for data-at-rest in vSAN virtual disks. I wanted to share some thoughts I’ve received from our VMware customers and partners on some of the benefits of using vSAN storage with encryption enabled.

A Simple Way to Encrypt

Podcast: Protecting Data with vSphere & vSAN EncryptionWhen you have a large database, it can be inefficient to store the data in a directory or folder directly in your virtual machine. vSAN can be much easier to manage from an administrative and recovery point of view and your VMware applications can easily connect to the vSAN volume. vSAN is configured using the VMware tools you already know how to use and managing vSAN storage is easy.

Did you know that you can enable vSAN encryption to protect that database with sensitive data? You can enable vSAN encryption on existing virtual disks or on new virtual disks that you create. The process is simple and does not require any downtime for your application - and vSAN encryption enables the use of a KMIP compatible key manager like our Alliance Key Manager so that you stay lined up with industry standards and security best practices. It is an easy way to improve your overall security posture.

A Simple Way to Meet Compliance

Many of our VMware customers are struggling to implement encryption on their databases to meet compliance regulations and to protect the organization’s digital assets. Although encryption and key management have become much easier over the years, it can still seem like a daunting task. VMware vSAN encryption to the rescue! It is easy to implement with the tools you already have, and you can deploy an affordable key management solution such as our Alliance Key Manager to fully meet compliance requirements and security best practices. You configure key management directly through the KMS Cluster facility in vSphere, and then activate vSAN encryption. Alliance Key Manager does not impose any limits on the number of virtual disks you protect, nor on the number of nodes that connect to the key manager.

A Simple Way to Save Money

Some databases, such as Oracle and Microsoft SQL Server, require expensive license upgrades to enable encryption capabilities. This cost can be out of reach for many small to medium size organizations. Using vSAN encryption is an affordable way to achieve a better security posture using the tools and the IT professionals you already have.

You might be wondering if VMware supports the deployment of these databases on vSAN volumes. The answer is absolutely YES! You will find substantial documentation from VMware on doing exactly this. The documentation includes reference architectures and analysis of performance impacts. You can confidently move forward with vSAN encryption knowing that VMware has invested time and effort to make sure you are successful.

Lastly, we know that some VMware users have deployed the free version of vSphere. There are some costs associated with upgrading to the paid tier of vSphere in order to get the ability to encrypt VMs and vSAN. If this is where you are today, talk to us about how we can help with the uplift to the next level of vSphere capability.

Resources:
vSAN Documentation
Oracle Database on VMware vSAN Solution Overview
Architecting Microsoft SQL Server on VMware vSphere
Pointers to our AKM for vSphere/vSAN Solution Brief 

New call-to-action

Topics: Compliance, VMware, Enryption, vSAN

MongoDB World 2019 Encryption Survey

Posted by Ken Mafli on Aug 8, 2019 8:42:34 AM

This June we had a chance to participate in MongoDB World 2019 in New York City as an exhibitor. It was a great time as MongoDB professionals from around the world attended. We had an opportunity to ask them about their company's encryption and key management practices. Below are the results as well as some expert weigh-in on the findings. Enjoy!

 

MongoDB-Survey-2019

 

If you are looking to protect your encryption keys for your sensitive data in MongoDB, you need a FIPS 140-2 compliant centralized key manager that:

  • Never charges you additional fees for connecting a new end-point.
  • Never limits the number of end-points based on the model of the KMS.
  • Never limits the number of encryption keys generated or stored.
  • Never forces you to pay extra fees for software patches.
  • Never forces you to pay extra fees for routine software upgrades.
  • Always gives you unmatched customer service.
  • Always protects your keys, 24/7.

You need Alliance Key Manager for MongoDB.

Encryption and key management for MongoDB

 

Topics: MongoDB Encryption, MongoDB Encryption Key Management, MongoDB

Case Study: Indus Systems

Posted by Luke Probasco on Jul 16, 2019 8:13:57 AM

indus-LogoIT Solution Provider Helps Customer Protect vSphere and vSAN Encryption Keys with Alliance Key Manager for VMWare

 


“As our customers face new and evolving compliance regulations that require them to encrypt private data, we needed a partner that could provide easy and affordable encryption key management for VMware.

- Kushal Sukhija, Technical Director

 
Indus Systems
Indus Case StudyAs processes are becoming more complex, competitive and demanding, businesses are constantly exploring new ways to deploy effective solutions. Indus Systems (www.indussystem.com), over the years, has synchronized their team to offer best-of-breed solutions from leading technology partners, coupled with their Professional Services to help customers to protect their Information Technology investment, reduce costs and grow business. Their IT Solutions increase people efficiency, reduce infrastructure footprint, which acts as catalyst towards quantum business growth. Indus Systems thrives to be a hand-holding partner in their customers’ journey.
With over 15 years of experience and 300+ happy clients, Indus Systems offers solutions in:
  • Business Continuity
  • Core Infrastructure
  • Network & Security
  • Mobility
  • User Devices
  • Professional Services 

 

The Challenge: vSphere / vSAN Encryption Key Management

Based in India, Indus Systems is increasingly finding their financial customers concerned with meeting the Securities and Exchange Board of India (SEBI) requirements for protecting private information. According to the SEBI framework, which came into force on April 1, 2019, “Critical data must be identified and encrypted in motion and at rest by using strong encryption methods.”

JM FinancialWith SEBI’s new cyber security framework, JM Financial Asset Management Ltd turned to Indus Systems for guidance on how to better protect their data. JM Financial Asset Management Ltd, an Indus Systems customer of 10 years, were due for a technology refresh. As part of the project, the company would rely heavily on VMware and protecting private data with vSphere and vSAN encryption.

Knowing that for encryption to be truly effective it needs to be coupled with encryption key management, Indus Systems and JM Financial Asset Management Ltd visited VMware’s Solution Exchange in search of a VMware Ready key management solution.

The Solution

Alliance Key Manager for VMware

“After visiting VMware’s Solution Exchange and finding Townsend Security’s Alliance Key Manager as a VMware Ready solution that had been certified by VMware for use with vSphere and vSAN encryption, we knew that we could easily help customers like JM Financial Asset Management Ltd meet SEBI’s encryption requirements,” said Kushal Sukhija, Technical Director, Indus Systems.

With Alliance Key Manager for VMware, organizations can centrally manage their encryption keys with an affordable FIPS 140-2 compliant encryption key manager. Further, they can use native vSphere and vSAN encryption - agentless - to protect VMware images and digital assets at no additional cost. VMware customers can deploy multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability.

“Alliance Key Manager proved to be an affordable and easy to deploy solution that we will be able to offer our customers beyond JM Financial Asset Management Ltd,” continued Sukhija. “Further, as part of our due diligence, we started
a Proof of Concept (POC) with another key management vendor as well. After getting halfway through the project, we could quickly see that their solution was getting complicated and expensive - something that we could not recommend and deploy for our customers.”

By deploying Alliance Key Manager for VMware, Indus Systems was able to meet their organization’s and client’s needs to protect private data at rest in VMware.

Integration with VMware

“VMware’s native vSphere and vSAN encryption make it easy to protect VMware images and digital assets. With Townsend Security’s Alliance Key Manager, we were able to protect our data with no additional agents or additional costs as JM Financial Asset Management Ltd scales their IT infrastructure,” said Sukhija. With a low total cost of ownership, Alliance Key Manager customers can leverage the built-in encryption engine in VMware enterprise, with no limits imposed to the number of servers or data that can be protected.

By achieving VMware Ready status with Alliance Key Manager, Townsend Security has been able to work with VMware to bring affordable encryption key management to VMware customers and the many databases and applications they run in VMware Enterprise. VMware Ready status signifies to customers that Alliance Key Manager for VMware can be deployed in production environments with confidence and can speed time to value within customer environments.

Indus Case Study

 



Topics: Alliance Key Manager, Case Study

VMWare and Encryption Key Management Failover

Posted by Patrick Townsend on Jun 26, 2019 12:38:09 PM

Encryption and Key Management for VMware - Definitive GuideOne of the easiest ways to implement encryption controls in your VMware infrastructure is to activate vSphere and vSAN encryption. With vSphere encryption you can insure that all VM images are encrypted at rest, and with vSAN encryption you can set up virtual disks that are fully encrypted protecting any files that you place there. vSphere encryption was implemented in version 6.5, and vSAN encryption was implemented in version 6.6. All subsequent versions of vSphere and vSAN include these capabilities. (Note that you must be on the Enterprise or Platinum edition).

In both vSphere and vSAN the key manager is integrated using the open standard Key Management Interoperability Protocol, or KMIP. This means that any key management solution that supports the necessary KMIP interface can work as a vSphere or vSAN key manager. Our Alliance Key Manager solution implements this support, and is already in use by our VMware customers. 

The most common question we get about these new encryption features is: How do I manage failover for the key managers?

This is a great question as VMware is a part of your critical infrastructure, and key management has to work with your high availability strategy. There are two parts to this question and lets dig into both of them:

Defining Key Managers to vSphere KMS Cluster

Key managers are defined to vSphere using the option to configure the KMS Cluster. A KMS Cluster configuration allows you to define more than one key manager. So you have a readily available path for failover. The first key manager configuration is the primary key manager, and all subsequent key managers in the KMS Cluster are failover key managers. vSphere will always use the first key manager you define and treat it as the primary. 

In the event vSphere cannot connect to the primary key manager, it will try to connect to the second key manager in the KMS Cluster configuration. If that one fails it will try the third one, and so forth. The failover order is the order in which you define key managers in the KMS Cluster, so you should keep that in mind as you define the key managers.

While vSphere allows you to create multiple KMS Cluster definitions, very few VMware customers need multiple definitions. Just put your key manager definitions in a single KMS Cluster and you are set to go. 

If you have failover clusters for VMware, be sure to define the KMS Cluster for the failover environment, too!

Implementing Key Mirroring in Alliance Key Manager

Now that you have failover key managers defined to the KMS Cluster, you need to activate key mirroring between the primary key manager and each failover key manager. This is really easy to do, and you don’t need any third party products to implement key mirroring with Alliance Key Manager. Real time, active-active key mirroring is built right into the solution. You can SSH into the key manager, provide credentials, and then take the menu option to set up the primary or secondary key server. Answer a few questions and you will have key mirroring enabled between two or more Alliance Key Manager servers.

Our Alliance Key Manager solution implements full support for vSphere and vSAN encryption key management and has everything you need to get started. Adding encryption to your VMware environment is easy. VMware did a great job with this implementation of key management support and you can easily realize the benefits of protecting VMware infrastructure.

Alliance Key Manager documentation for vSphere can be found here.

You can download Alliance Key Manager and get started right away. Here is where to go to start the process.

Townsend Security will help you get started with vSphere and vSAN encryption. There is no charge for the evaluation or evaluation licenses and you will get access to the Townsend Security support team to ensure you have a successful project.

Patrick

New call-to-action

Topics: Alliance Key Manager, VMware

Encryption and Key Management - The SIX Mistakes that Startups and ISVs Make and How To Avoid Them

Posted by Patrick Townsend on Apr 18, 2019 1:27:59 PM

In our practice here at Townsend Security we engage with a lot of startups and mature ISVs who are trying to grow their business and customer base, leverage their technologies into new opportunities, and grow or migrate to the cloud. We know how difficult it is to start and grow a company, and what a wide set of business challenges have to be overcome. Our hats are off to every entrepreneur who has created a successful company, and every ISV who has kept it going!

Designing Applications with Encryption and Key ManagementI want to share a few thoughts on some pitfalls that can damage your ability to grow your company with a focus on the encryption of sensitive data. Too many promising companies flounder because of poor security implementations, and failing to get encryption right can lead to lost opportunities - maybe even the loss of that breakout sale you need to land a global company. Some early thought and planning about data security can help you weather your migration up the food chain and avoid such losses.

Number 1: Failure to encrypt sensitive data

The single biggest failure of data security is not doing it at all. Even in this age of massive public data breaches, and the damage that they do to companies of all sizes, most startups and ISVs are not implementing encryption of sensitive data. When product managers and developers work on their next big idea, they focus on exciting features in their product and often ignore the work it takes to implement encryption. They instead rely on access control lists and other mechanisms to protect data. These are, of course, important things to do. But the failure to encrypt sensitive data leaves a big hole in your security strategy.

What can go wrong if you haven’t implemented encryption? LOTS !!!

  • The publicity around a data breach can tarnish your reputation and kill opportunities.
  • The lack of encryption may cause compliance regulation failures making it impossible to enter new markets.
  • You may not be able to pass a security review of your software by that large global Enterprise.
  • You may not be able to enter government channels where encryption is a mandate.
  • If your customer experiences a data breach you may encounter substantial litigation costs that damage your financial resources and delay critical development.
  • You may fail to secure that next round of funding when an investor discovers the security gaps in your product.

When these kinds of events damage your ability to grow your company, it can be hard to mitigate them in a timely fashion. And you often won’t know about these dangers until you get fairly far down the road with your business plan.

Number 2: Failure to get key management right

For startups and ISVs who DO understand the need for encryption of sensitive data, the next biggest pitfall is the failure to protect encryption keys properly. Almost every database that supports encryption also supports the ability to protect the database encryption keys with a key manager. But that doesn’t mean that good key management is the default! In most cases the default database key management option is to store the encryption keys on the same server as the sensitive data. Sometimes the database will even store the encryption key locally and in the clear! So getting encryption key management right is critical to your security strategy. It won’t help to have encryption of your data enabled, and then have a cybercriminal steal your data along with the encryption key.

Related to key management here are some things to look for when you consider databases for your application:

  • Does your database have built-in encryption? Relying on third-party encryption solutions at the file/folder level will certainly cause deployment and scalability problems.
  • Does your database support integration with third-party key managers? If there is no easy way to integrate proper key management into the database, this will also cause deployment and technology delays.
  • Does your database support open standards for key management? For example, the Key Management Interoperability Protocol (KMIP) defines how applications like databases can easily integrate a key manager.
  • Does your database support key management failover? Remember that protecting encryption keys with a key manager also brings along the question of high availability and failover.

HINT:

If you are a startup be sure to choose a database that supports built-in encryption and proper key management. You have lots of good choices in both commercial and open source solutions. So go with a database with native, built-in encryption and key management!

Number 3: Failure to get FIPS 140-2 right

There are important standards and certifications for key management solutions. The most important of these is the National Institute of Standards and Technology’s (NIST) FIPS 140-2 standard. In addition to being a published standard, there is also a validation process for key management systems. The standard, and the validation to that standard, are critically important to your data security strategy. All professional key management solutions have been validated to the FIPS 140-2 standard and you should be sure to deploy a validated key management solution. This will help you avoid failing a security audit by that important new customer!

In addition to ensuring that your key manager is validated to FIPS 140-2, be sure that the entire key management solution is validated. There are many cases where the encryption library alone is validated to FIPS 140-2, but the key management application is not. It is good to have validated encryption, but that is just the start! Encryption key management has its own validation points and you will need both.

Snake Oil Alert !!!

Unfortunately, there are some key management solutions that make unwarranted claims about FIPS 140-2 compliance and validation. Here are a few warning signs to look for when you evaluate a key management solution:

  • A vendor makes compliance claims, but there is no validation. Some vendors claim to be “FIPS 140-2 compliant” but in fact have never completed a FIPS 140-2 validation. Security is hard, and unsubstantiated claims should be a red flag.
  • A vendor claims FIPS 140-2 compliance, but the validation is “in process”, but not complete. A security product can be “in process” for many months or even years. A claim of FIPS 140-2 compliance without actual completion should also be a red flag.
  • A vendor makes some claims of FIPS 140-2 validation, but research shows that the key management solution was not validated by that vendor.
  • A vendor makes a claim of FIPS 140-2 compliance, but the solution is only compliant when backed by a third party validated key management solution. In this case the vendor solution itself is not validated, but relies on the validation of another solution. You may be fooled into thinking that the solution itself is compliant when it is not. Especially watch for this pitfall with open source solutions.

You can always check a vendor’s claims of FIPS 140-2 compliance. Ask for the NIST FIPS 140-2 certificate number, and then Google it. NIST makes the validation certificate available to the public on their website. Copy and paste this into Google search:

NIST FIPS 140-2 certificate number 1449

That was easy!

Number 4:  Failure to make encryption and key management easy and invisible

Now that you are on the road to getting encryption and key management right, it is important to also make it easy and invisible. Your customers have a lot on their agendas, and becoming a key management expert is probably not one of them. So even if you follow the above advice and implement encryption and key management, do your customers a favor and make key management easy. The best way to do this is to bundle a key management solution into your product, and make key management automatic. You can still enable the configuration of an external key management system (some customers will want this), but you can really make it easy for most of your customers if you automate the key management tasks.

Automating key management is a great competitive advantage! One of our partners in the archival and backup space implemented this strategy and make great competitive wins on this feature alone! Their message was simple:

“We have encryption and key management. It is FIPS 140-2 validated. It is completely automatic so you don’t have to spend time fiddling around with a complex key management system.”

This strategy won them a lot of competitive deals and it was easy to talk about - and it shortened the sales cycle.  Of course, be sure that your key management solution supports this type of integration and automation!

Number 5:  Failure to segment customer data

As you move to the cloud and create shared, multi-tenant SaaS solutions, be sure to plan for and architect data segmentation into your solution. You will encounter large customers who will not want to have their data in the same space as other customers. They will want the additional security of segmenting their data into a virtual private cloud. With planning, your technical team can meet this kind of requirement, and help you close that very large deal.

Of course, a data segmentation plan requires a key management segmentation plan. For the same reasons customers want to segment their data, they don’t want to share key management with other customers. And they want to maintain full control of the key management implementation. So be sure to plan for customer-specific deployments of encryption key management and failover key management servers. A properly implemented data and key management segmentation plan will even allow for on-premise deployments that are “cloud ready.”

Number 6:  Failure to develop new market opportunities

Think about Amazon (the company) for a moment. At one point in their history they were an online bookstore. Today the company is very different. Amazon first leveraged its technologies to sell all kinds of products, and then created Amazon Web Services (AWS) to enable all of us to benefit from cloud technologies.

Are you thinking like Amazon? If not, you might be missing some big opportunities. Now that you have secure applications, are there lateral opportunities or technology licensing opportunities available to you? When you approach new opportunities and partners, don’t be afraid to talk about security. Regardless of what you’ve heard:

SECURITY SELLS!

Developing Applications with Encryption & Key Management

Topics: Encryption, Encryption Key Management, ISV, Partner

Townsend Security Announces Alliance Key Manager for VMware Cloud on AWS

Posted by Luke Probasco on Apr 9, 2019 12:01:00 AM

Alliance Key Manager for VMware Cloud on AWS provides customers with dedicated key management in AWS – with no access to encryption keys by cloud service provider (CSP).

Townsend Security today announced Alliance Key Manager is available to customers of VMware Cloud™ on AWS. VMware Cloud on AWS brings together VMware’s enterprise-class Software-Defined Data Center (SDDC) software and elastic, bare-metal infrastructure from Amazon Web Services (AWS) to give organizations consistent operating model and application mobility for private and public cloud. Alliance Key Manager for VMware Cloud on AWS enables the flexibility and security of a native VMware encryption key manager to customers of VMware Cloud on AWS.

As VMware users turn to VMware Cloud on AWS, they bring their sensitive data with them – customer names, email addresses and other personally identifiable information (PII). While compliance regulations require protecting this information, encrypting this data has been a challenge for organizations who want the flexibility and security of a native VMware encryption key manager. By deploying Alliance Key Manager for VMware Cloud on AWS, customers can achieve their security and efficiency goals in a cloud environment.

“With subscription and perpetual licensed options for the Alliance Key Manager for VMware Cloud on AWS, we have licensing options to fit the needs and budgets of our customers. Additionally, there are never extra fees for deploying additional nodes, databases or applications - giving your encryption strategy the freedom to scale without having to come up with budget for added licenses,” said Patrick Townsend, CEO & Founder, Townsend Security.

VMware Cloud on AWS technology partners enable customers to deploy the same proven solutions seamlessly in both the public and private cloud. VMware simplifies the deployment and eliminates the need for partners to refactor solutions for VMware Cloud on AWS. If a partner solution works on-premises in a VMware vSphere environment, it will easily support VMware Cloud on AWS. VMware technology partners complement and enhance native VMware Cloud on AWS service and enable customers to realize new capabilities.

“VMware Cloud on AWS provides customers a seamlessly integrated hybrid cloud offering that gives customers the SDDC experience from the leader in private cloud, running on the leading public cloud provider, AWS,” said Kristen Edwards, director, Technology Alliance Partner Program, VMware. Solutions such as Alliance Key Manager for VMware Cloud on AWS enable IT teams to reduce cost, increase efficiency, and create operational consistency across cloud environments. We’re excited to work with partners such as Townsend Security to enhance native VMware Cloud on AWS capabilities and empower customers with flexibility and choice in solutions that can drive business value.”

About VMware Cloud on AWS

Delivered, sold and supported by VMware and its channel partners as an on-demand service, and running on elastic, bare-metal AWS infrastructure, VMware Cloud on AWS is powered by VMware Cloud Foundation, the unified SDDC platform that integrates vSphere, VMware vSAN and VMware NSX virtualization technologies. With the same architecture and operational experience on-premises and in the cloud, IT teams can quickly derive business value from use of the AWS and VMware hybrid cloud experience. For more information on the VMware Cloud on AWS partner ecosystem, visit: http://cloud.vmware.com/vmc-aws

Townsend Security‘s product information, collateral and other assets are listed within the online VMware Solution Exchange at https://marketplace.vmware.com/vsx/solutions/alliance-key-manager-for-vmware-cloud-on-aws-4-60?ref=search. The VMware Solution Exchange is an online marketplace where VMware partners and developers can publish rich marketing content and downloadable software for our customers.

# # #

VMware, VMware Cloud, vSphere, Cloud Foundation, vSAN, and NSX are registered trademarks or trademarks of VMware, Inc. in the United States and other jurisdictions.           

New call-to-action

Topics: Press Release, Alliance Key Manager for VMware Cloud on AWS

RSA vs AES Encryption - A Primer

Posted by Patrick Townsend on Mar 25, 2019 8:10:41 AM

If you are new to encryption you might be asking yourself, "what is the difference between RSA encryption and AES encryption, and when should you use them?" It’s a great newbie question, so let’s go exploring.

eBook: Definitive Guide to Encryption Key ManagementAES stands for Advanced Encryption Standard and is in wide use around the world. It falls into a class of encryption methods called “symmetric” encryption. That is, the same secret (an encryption key) is used to encrypt the data, and also used to decrypt the data. AES encryption is probably the most widely used encryption method for protecting data at rest. You will find it used in self-encrypting disk drives, database encryption, storage encryption, and so forth. It’s been around since about 2002, and it is an international standard. Roughly speaking, when you encrypt with AES you put data and the secret encryption key into software that implements AES encryption, and out comes the encrypted data. When you want to use that data you put the encrypted data and the same encryption key into the software, and out comes the original data that you can use.

There are other symmetric key encryption algorithms, and we’ll discuss that a bit below.

RSA encryption is named after the three inventors of the encryption method: Ron Rivest, Adi Shamir, and Leonard Adleman. RSA falls into a class of encryption methods called “asymmetric” encryption. The name asymmetric follows from the fact that there are two related secrets, or keys, used for encryption. One is called a public key, and the other is called a private key. The keys are related in the sense that if you encrypt with the public key, you can only decrypt with the related private key. And the reverse is true, too - If you encrypt with the private key, you can only decrypt with the associated public key. The math is pretty amazing and involves very large prime numbers and factorization. RSA keys are usually used when you have two physically separate endpoints. RSA encryption is often used in web browsers to connect to your favorite websites, in VPN connections, and in many other applications. We use asymmetric encryption every day.

There are other asymmetric encryption algorithms, and we’ll mention a few later.

So, when do we use AES encryption?

AES encryption is great when we have a constrained environment. For example, if we encrypt data in a database, we will decrypt data when we need to access the database. Another example is hard drive encryption - we encrypt the data written to the disk, and decrypt it when we read from the disk. Encryption and decryption will take place on the same platform and in the same context. AES encryption is great for this particular use case. That is why it is commonly used for protecting data at rest.

When do we use RSA encryption?

RSA encryption is really great when we have two physically or geographically different end-points. If I am encrypting data in San Francisco, and you are decrypting it in Dubai, I am likely to use RSA encryption because it is ideal for two separate end-points. I can encrypt data with an RSA public key at the originating end-point, send it over an unsecure web connection, and decrypt it with the RSA private key at the destination end-point, and not worry about who might intercept it in the middle. The unique public / private key aspects of asymmetric encryption helps us be secure when we are separated by many miles of insecurity and hostile internet territory.

Performance and how this affects the use of RSA encryption

RSA encryption is great for protecting the transfer of data across geographic boundaries. But we have a bit of a problem with RSA encryption - it is really poor from a performance perspective. I might want to send you my sensitive file, but encrypting that with RSA is going to be difficult due to the low performance of RSA encryption. No problem! You can combine RSA encryption with AES symmetric encryption to achieve the security of RSA with the performance of AES. This is normally done by generating a temporary, or session, AES key and protecting it with RSA encryption.

Other symmetric algorithms

AES is not the only symmetric encryption method. The older, and still standard, Triple DES (Data Encryption Standard) method is still in wide use. Triple DES is an accepted standard even though it is older than AES. However, for any new applications you should avoid the use of TDES (also called TDEA) encryption and it is likely to be deprecated as a standard soon.  Other encryption algorithms exist, such as Two Fish, Blow Fish, Ghost, and others. While they may be good encryption algorithms, they have not achieved the status of accepted standards, and so you should avoid them.

Other asymmetric algorithms

RSA is the granddaddy of asymmetric algorithms. But is is not the only accepted standard for asymmetric encryption. Elliptic Curve Cryptography (ECC) is also in wide use (usually combined with a symmetric algorithm) and is an accepted standard for asymmetric encryption. It performs better than RSA, but still lags AES in terms of performance. You should feel comfortable using ECC for asymmetric encryption needs.

AES encryption and modes of encryption

While AES encryption is the most commonly adopted encryption method, you should be aware that there are multiple modes of operation that can be used with AES. These are also specified in the standards. The raw AES mode of operation is called Electronic Code Book, or ECB. Because raw AES in ECB mode can leak pattern information when encrypting large amounts of data, it is common to use a mode of encryption that incorporates an initialization vector. The Cipher Block Chaining (CBC) mode of AES encryption is very common, as is Counter (CTR) mode. For storage devices it is common to find the XTS mode of encryption used. If data corruption is of concern, you might find the Galois Counter Mode (GCM) in use.

The evolving world of encryption

The world of encryption is always evolving. Cryptographers are working on new algorithms and improvements to existing algorithms to meet the challenges of high performance computing and quantum computing. It is an exciting time for cryptography and encryption key management. For now, you should always stick to published standards like AES, RSA and others mentioned here. Doing so brings the benefits of a consensus among a world-wide group of cryptographers, and keeps you in alignment with many compliance regulations.

Please let me know if you have any questions.

Patrick

eBook: Definitive Guide to Encryption Key Management

Topics: Encryption

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all