+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

2019 SQL Server Encryption Survey

Posted by Ken Mafli on Jan 15, 2020 6:00:00 AM

This last November (Nov. 6-8, 2019) we had a chance to participate in the 21st annual PASS Summit in Seattle as an exhibitor. It was a great time as SQL Server professionals from around the world attended. We had an opportunity to ask them about their company's encryption and key management practices. Below are the results as well as some expert weigh-in on the findings. Enjoy!

The SQL Server Encryption Survey—2019

 

2019-SQL-Server-Encryption-Survey

 

A special thanks to our contributors for their expertise and guidance. You all are clear-minded professionals that have a lot to offer those looking to better secure their data:

-Ed Leighton-Dick, Kingfisher Technologies
-Tim Roncevich, CyberGuard Compliance
-Justin Garren, LyntonWeb
-Sharon Kleinerman, Townsend Security
-Patrick Townsend, Townsend Security

If you are looking to protect your encryption keys for your sensitive data in SQL Server, you need a FIPS 140-2 compliant centralized key manager that:

  • Never charges you additional fees for connecting a new end-point.
  • Never limits the number of end-points based on the model of the KMS.
  • Never limits the number of encryption keys generated or stored.
  • Never forces you to pay extra fees for software patches.
  • Never forces you to pay extra fees for routine software upgrades.
  • Always gives you unmatched customer service.
  • Always protects your keys, 24/7.

You need Alliance Key Manager for SQL Server.

Alliance-Key-Manager-for-SQL-Server 

 

 

Topics: Key Management, Extensible Key Management (EKM), SQL Server 2008, Microsoft, Info-graphic, SQL, Encryption Key Management, SQL Server, Transparent Data Encryption (TDE), SQL Server encryption

Townsend Security Provides NFR Licenses for Key Management Server (KMS) to VMware vExperts

Posted by Luke Probasco on Jan 7, 2020 12:00:00 AM

Alliance Key Manager, featuring full support for VMware encryption of VMs and vSAN, is now available free of charge to VMware vExperts.

Free NFR License to VMware vExpertsTownsend Security today announced that it offers free Not for Resale (NFR) licenses to VMware vExperts for Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS). The NFR license keys are available for non-production use only, including educational, lab testing, evaluation, training, and demonstration purposes. NFR Licenses are available here.

Alliance Key Manager enables VMware customers to use native vSphere encryption for VMs and vSAN to protect VMware images and digital assets while deploying a secure and compliant key management server (KMS). VMware users can deploy multiple, redundant (HA) key servers as a part of the KMS Cluster configuration for maximum resilience and high availability. The key manager is certified by VMware for use with vSphere version 6.5 and later, and for vSAN version 6.6 and later. 

Using the advanced cryptographic permissions in VMware vCenter Server, along with a KMS, VMware users can prevent internal/external threats and protect sensitive workloads. In addition to supporting vSphere encryption of VMs and vSAN, Alliance Key Manager supports application and database encryption deployed in VMware virtual servers.

“We are excited to provide VMware vExperts with Alliance Key Manager, our encryption key management server (KMS) for their test labs,” said Patrick Townsend, CEO of Townsend Security. “Protecting sensitive data continues to be a critical concern in IT, and an important part of both security and compliance efforts. Data-at-rest encryption options in vSphere are comprehensive and very easy to use. Alliance Key Manager seamlessly integrates with VMware’s encryption capabilities.”

Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.   VMware vExperts can request an NFR license of Alliance Key Manager for VMware here.

New call-to-action

Topics: Alliance Key Manager, Press Release

Ransomware and Encryption - I Was Wrong

Posted by Patrick Townsend on Jan 2, 2020 8:48:08 AM

I might as well start the New Year with an admission and an apology. Let’s clear the slate.

eBook: Definitive Guide to Encryption Key ManagementIn the past I’ve minimized the use of encryption as a specific way to deter Ransomware attacks. My thinking was that encryption would not really help you if your systems are compromised by Ransomeware. After all, my thinking was, the data is still on your servers it just isn’t accessible because it is now encrypted with a key that you don’t have. Of course, you can pay the ransom to unlock your data. There are lots of good reasons to encrypt sensitive data, but I was not seeing encryption as a specific way to specifically minimize the risks associated with Ransomware.

I believed that your best defense against ransomware was to have good backups and be prepared to restore systems quickly from those backups. A lot of our customers had become lax in their backup strategy, and this left them exposed to Ransomware attacks. They just weren’t able to quickly restore from backups, or those backups did not exist, or they were not current enough.

I failed to understand the evolving nature of Ransomware threats. It simply did not occur to me that a cybercriminal would BOTH lock your data AND steal the data and threaten to release it if the ransom payment was not made. That is exactly what is happening now. 

It is now clear to me that encrypting your sensitive data is an important part of your defense against Ransomware attacks. If the attacker cannot access the data, they can’t threaten its release to put pressure on you. So it is time to revisit your security strategy around Ransomware:

  • Backups are still important. They are a first line defense against Ransomware.
  • Your backup strategy is not complete until you fully test the restore process. You will always find glitches during the test of the restore operation. You don’t want to be finding these glitches during a Ransomware recovery process.
  • Encrypt all sensitive data to deny its use by attackers.
  • Use proper encryption key management as a part of your encryption strategy. Locally stored encryption keys (SQL Server, MongoDB, MySQL, and so forth) are easy to recover. If you are not protecting the encryption keys you don’t have an encryption strategy.

There is much more that you need to do to protect against Ransomware, but these items are crucial to your strategy. 

Encryption has many other benefits including helping you meet compliance regulations (California CPA, etc.), helping you minimize reputational damage, helping you protect digital assets and business secrets, and much more. It is time to review your encryption strategy and plug any holes.

If you are a small organization you don’t have to feel left out in the cold. Here at Townsend Security we help small organizations get encryption and key management right. You are NOT priced out of the market. If you are a small organization ask us about our SMB plan.

Patrick

eBook: Definitive Guide to Encryption Key Management

 

Topics: Encryption, Ransomware

Alliance Key Manager Now Available for IBM Cloud for VMware

Posted by Luke Probasco on Dec 18, 2019 11:15:00 AM

Alliance Key Manager for IBM Cloud for VMware provides encryption and key management to help IBM Cloud for VMware customers meet data privacy compliance regulations and security best practices.

Key Management for IBM Cloud for VMware PodcastTownsend Security today announced Alliance Key Manager, its affordable FIPS 140-2 compliant encryption key manager, is available for IBM Cloud for VMware. By running Alliance Key Manager for IBM Cloud for VMware, enterprises can encrypt VMs and vSAN virtual directories and protect private information in their applications and databases with a dedicated key manager - with no access to encryption keys by IBM.

Working with VMware and Coalfire, Townsend Security’s Alliance Key Manager achieved compliance with PCI-DSS when implemented on a standard VMware reference architecture. Support for the PCI-DSS standard has smoothed the path to compliance for VMware customers in IBM Cloud. Additionally, Alliance Key Manager for IBM Cloud for VMware can also help businesses meet other compliance regulations such as GDPR, CCPA, HIPAA, GLBA/FFIEC, FISMA, etc.

“Customers want to experience regulatory compliance out-of-the-box. They don’t want to have to engage in lengthy audits and security validations in order to deploy applications to the cloud. PCI-DSS is one of those key indicator regulations and our commitment to provide proven regulatory compliance is a great benefit to our VMware customers,” said Patrick Townsend, CEO of Townsend Security. “We take data security compliance issues off of the table and this really helps our customers. With this announcement we are extending formal support for our solutions to the IBM Cloud for VMware.”

As enterprises move to IBM Cloud they bring their sensitive data with them. With Alliance Key Manager for IBM Cloud for VMware, organizations can encrypt their VMs and vSAN storage that are managed by vSphere. Leveraging the KMIP interface in vSphere users can define one or more key managers to protect the encryption keys used to encrypt VMs and vSAN. Alliance Key Manager is certified by VMware for all versions of vSphere and vSAN that support encryption.

“Encrypting VMs and vSAN storage provides a rapid path to meeting security best practices and compliance regulations. There is no limit to the number of VMs or vSAN storage pools that you can protect,” continued Townsend. “I am proud of our team for creating a truly affordable solution for VMware key management. Small businesses should contact us for information about special small business pricing.”

Alliance Key Manager for IBM Cloud for VMware is available for a free 30-day evaluation.

Key Management for IBM Cloud for VMware Podcast

Topics: Press Release, Alliance Key Manager for IBM Cloud for VMware

SQL Server Standard Edition & Transparent Data Encryption (TDE)

Posted by Luke Probasco on Dec 17, 2019 8:16:00 AM

Like Microsoft SQL Server Enterprise Edition users, SQL Server 2019 Standard Edition users can now easily meet compliance regulations (PCI DSS, GDPR, CCPA, etc.) and protect private data like customer PII and intellectual property without modifying existing applications or the database.  By using the database’s Transparent Data Encryption (TDE) capability, coupled with Extensible Key Management (EKM), and an encryption key manager, organizations can protect their private data at a lower cost.

SQL Server Standard Edition & TDEI recently sat down with Patrick Townsend, Founder and CEO of Townsend Security to talk about TDE in Microsoft SQL Server 2019 Standard Edition and what it means for smaller businesses who don’t have Enterprise Edition, as well as deploying encryption key management in the cloud.

Patrick,  It was great to see Microsoft bring Transparent Data Encryption to the standard edition of SQL Server 2019.

We were pleased to see Microsoft announced that SQL Server 2019 Standard Edition would support Transparent Data Encryption (TDE) and Extensible Key Management (EKM).  By doing this, Microsoft was able to bring encryption and proper key management to a huge user base and not require them to make application changes, which can be a barrier for some companies.  TDE and EKM were originally introduced back in SQL Server 2008 Enterprise, so the technology itself has been around a while. There are a lot of users of the Standard Edition of SQL Server and by lowering the technical and financial bar to protecting private data, companies of all sizes can easily protect their private information - including customer information and IP.

As you mentioned, TDE and EKM are considered a pretty mature technology at this point.  You have had an EKM provider for Enterprise Edition for over 10 years, right?

Yes! Since the initial release of TDE and EKM in Microsoft SQL Server 2008, we have been proud to offer an affordable, industry leading solution - and now extend that to SQL Server Standard Edition users.  As far as platforms go, we started a decade ago with a hardware security module (HSM), though most of our customers are now running VMware environments or are in the cloud (AWS, Azure, IBM Cloud). Fortunately, because all of the platforms that we offer our key manager on run exactly the same software, we are able to maintain our FIPS 140-2 compliance.  We even have customers running hybrid deployments with key managers in the cloud and on-premises.

It is really easy to get started as well.  Deploying an enterprise encryption key management solution  used to take several months and lots of resources but can now be done relatively quickly.  Essentially, here is what you need to do:

  • Set up Alliance Key Manager (just takes a few minutes)
  • Install our EKM provider software on your instance of SQL Server
  • Configure SQL Server
  • Turn on TDE

That’s it!  It is a very straightforward deployment.

By using standards based encryption, Microsoft is positioning their customers for success.  But they still leave key management up to the customer.

Yes, and standards are just as important with key management as they are with encryption.  People often think that the encryption algorithm is the secret part of securing data and don’t realize the importance of key management.  Only YOU should have access to your encryption keys - and this goes for administration of the key manager as well. Enterprises need to look for a FIPS 140-2 validation and avoid multi-tenant solutions offered by CSPs.  On more than one occasion I have heard customers say that prior to using Alliance Key Manager they were storing their keys in an Excel spreadsheet, on a USB key, or even burnt in their application code. Not very secure locations, to say the least, and the keys were very likely not “cryptographically strong.” Encryption keys based on passwords will never meet minimum standards for strong encryption keys. Keys should be generated using a cryptographically secure random bit generator (CS-RBG) validated to international standards.

On the topic of Cloud Service Provider key management, while key management solutions offered by CSPs can provide some convenience, they leave an organization’s encryption keys accessible to third-party administrators - increasing the risk to their security posture.  Finally, bringing it back to SQL Server, remember, it is poor security practice to store encryption keys locally to the SQL Server database. It takes a hacker just a few seconds to recover those keys!

Let’s dive into this a little deeper, because I think there is a little confusion in the market. I attend Pass every year, and when people think about key management, they sometimes talk about using open source software or even storing their encryption keys in something like “Last Pass”.

People need to understand that an encryption key manager is more than just a secure key store.  A key manager like our Alliance Key Manager creates and manages encryption keys through their entire lifecycle.

I’d like to elaborate a little more on CSP-offered key managers like AWS KMS or Azure Key Vault, since I think many people are familiar with these offerings.  If you look at Information Supplement: PCI SSC Cloud Computing Guidelines, you’ll find them state: 

“Because compromise of a Provider could result in unauthorized access to multiple data stores, it is recommended that cryptographic keys used to encrypt/decrypt sensitive data be stored and managed independently from the cloud service where the data is located.”

This is a pretty common sense warning from the PCI Security Standards Council.  Consolidating services under one shared umbrella dramatically increases an organization’s risk.

True Key Management Systems (KMS) need to go where your data goes - on-premise, cloud, multi-cloud, or VMware.  Alliance Key Manager is a full enterprise key management system. The AWS KMS, for example, is a key storage facility and can’t leave the AWS cloud, which provides CSP lockin.

And when thinking about the security principles of Confidentiality and Availability, it just doesn’t make sense to use something other than a full-fledged key manager.

You’re right.  Again, with Confidentiality, you don’t want your CSP to have administrative access to your keys.  In terms of Availability what about high availability? What if you need to run applications that deal with private data in multiple clouds?  By using an enterprise level key manager, enterprises can rely on a centralized key manager to protect their data regardless of where it resides or will in the future.

Also, for those who are using older versions of SQL Server Standard Edition, you can use Netlib's Encryptionizer along with our Key Connection for Encryptionizer to transparently encrypt private data.

To hear this conversation in its entirety, download our podcast SQL Server Standard Edition & TDE to hear Patrick Townsend further discuss encrypting data in Microsoft SQL Server Standard 2019, encryption key management in the cloud, and the importance of data security standards.

SQL Server Standard Edition & TDE

Topics: SQL Server encryption

vSAN Encryption: Locking Your vSAN Down (Part 2)

Posted by Ken Mafli on Dec 16, 2019 6:30:00 AM

What is vSAN Encryption?

As of VMware vSAN 6.6, you can now encrypt your vSAN datastore. vSAN encryption protects your stored data in case a device is removed or hacked. vSAN encryption only requires the vCenter Server, a third-party Key Management Server (KMS), and ESXi hosts to work. It is standards based and KMIP compatible.

 

(Part one of this series deals with VM encryption. This post will cover vSAN encryption)

How vSAN Encryption Works
 
 

The Rise of Storage Area Networks

Nowadays, VMware vSAN provides hyper-converged storage for the enterprise business. As VMware puts it, “in addition to being incredibly simple to deploy and provision, Virtual SAN allows you to scale storage and compute resources, eliminating costly forklift upgrades.”

But, as most know, vSAN, first released in 2014, did not grow in a vacuum. Physical SANs started to gain traction in the early 2000’s as our need for data storage exploded. The SANS Institute, in 2002, highlighted these trends and the advantages that a SAN provided:

  • Higher availability of systems and applications
  • Costly IT purchases reduced
  • Higher scalability of storage architecture
  • Increased IT staff efficiency
  • Higher ability to utilize the full value of a company’s information assets

Encryption and Key Management for VMware - Definitive GuideBut even though a SAN brought these advantages to its user, it had one major limitation: Storage administrators were still tied to managing the data via where it physically lived, needing to pre-allocate storage on various servers.

vSAN, however, overcomes the limitations of a purely physical SAN. Since vSAN is a software layer that sits on-top of the server, it allows for greater flexibility of your storage capacity. According to MicroAge:

“vSAN is software-defined storage that enables organizations to pool storage capabilities and automatically provision virtual machine storage. They can dynamically scale performance and storage capacity as needed and render underlying physical storage accessible to virtual machines through a policy-driven control pane. [O]rganizations use SANs to interconnect shared pools of storage devices to different servers. vSAN extends this local storage to a shareable storage in each server, enabling other servers to access data over the LAN without a traditional shared storage device.”

Another advantage of vSAN: greater (and much easier to implement) data security. With version 6.6 of vSAN, VMware introduced native encryption for your data-at-rest. vSAN encryption is baked right into vSAN and, as Jase McCarty of VMware puts it, “with a couple of clicks, it can be enabled or disabled for all items on the vSAN datastore, with no additional steps.”

This gives the enterprise business much greater control in how and when they secure their data. That said, let’s take a look at some additional advantages of using vSAN encryption.

 

Expert Weigh-in:
When it comes to database development and administration, there is often an emphasis on securing the data inside the database. Unfortunately, that’s not only one place that data resides. We all know that data exists outside the database engine. It’s important to take steps to protect your data no matter where it may lie. vSAN encryption allows for you take that extra step to protect your data-at-rest sitting in JSON, XML, or CSV files.
~Thomas LaRock, Head Geek, SolarWinds

 

The Advantages of vSAN Encryption

Advantages of vSAN Encryption

 

Minimizes Impact on Performance

With encryption there will always be a performance impact. It is just the nature of the beast. But with vSAN encryption, VMware reports:

  • Minimal impact to CPU cycles while data is being encrypted.
  • A 5-15% CPU penalty and no performance overhead. This overhead is representative of running vSAN with dedupe and compression turned on.

This is great news for those needing to encrypt large amounts of stored data. You can now protect your data and, in large part, maintain the integrity of your performance.

Streamlines Operations

As mentioned earlier, vSAN encryption is easy to configure and entire clusters can be encrypted with just a few clicks. There is zero guess-work with:

  • No third-party encryption to install, configure, and maintain.
  • No encryption at the hardware layer. Encryption at the hypervisor layer (vSAN encryption) has considerably less overhead than deploying encryption at the hardware layer.

Bring Your Own Key Manager

You can bring your preferred key manager to manage your encryption keys. Since vSAN encryption is KMIP 1.1 compatible, you are free to use a FIPS 140-2 compliant encryption key manager, like our Alliance Key Manager.

How Do I Enable vSAN Encryption?

 

The last and biggest advantage: vSAN encryption is easy to enable and use. This means that securing your sensitive data with AES encryption is not a time-intensive task. To prove the point, here is a quick guide to getting encryption up and running for your vSAN clusters:

  • First, install and configure your key management server, or KMS, (such as our Alliance Key Manager) and add its network address and port information to the vCenter KMS Cluster.
  • Then, you will need to set up a domain of trust between vCenter Server, your KMS, and your vSAN host.
    • You will do this by exchanging administrative certificates between your KMS and vCenter Server to establish trust.
    • Then, vCenter Server will pass the KMS connection data to the vSAN host.
    • From there, the vSAN host will only request keys from that trusted KMS.
  • The ESXi host generates internal keys to encrypt each disk, generating a new key for each disk. These are known as the data encryption keys, or DEKs.
  • The vCenter Server then requests a key from the KMS. This key is used by the ESXi host as the key encryption key, or KEK.
  • The ESXi host then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk.
  • The KEK is safely stored separately from the data and DEK in the KMS.
  • Additionally, the KMS also creates a host encryption key, or HEK, for encrypting core dumps. The HEK is managed within the KMS to ensure you can secure the core dump and manage who can access the data.

That’s it! VMware has made encrypting your data in vSAN both simple and secure.

 

Expert Weigh-in:
In traditional SAN infrastructures, layering key-based security and integrating with key managers has always been wrought with expense and complexity. It usually meant leveraging very few but very difficult to manage key management appliances which required very specialized skills. But with vSAN along with Alliance Key Manager, a lot of that complexity is removed—letting you focus on protecting your data instead of managing it.
~Christopher Kusek, vExpert and Tech Evangelist

 

Final Thoughts

Encrypt Everything in vSAN

 

Let’s face it, storage area networks are a target-rich environment for malicious actors. Whether it’s:

  • Customer data
  • Intellectual property
  • Financial transactions
  • Legal records
  • Patient information
  • And much, much more….

It all needs to be protected. Network administrators, though, face these challenges:

  • They have little control over what gets put into storage.
  • Sensitive data, many times, is stored by end users with little thought to encrypting it.
  • There is a dizzying array of compliance regulations, internal security standards, and best practices that must be complied with.

vSAN encryption can help. With a few clicks in vSAN entire virtual disks can be encrypted. And with a FIPS 140-2 compliant encryption key manager, like Alliance Key Manager, the keys for your AES-NI encryption will be properly protected and full lifecycle managed.

If you are not protecting your data in vSAN, get started today! It’s not a matter of if your data will be hacked, but when.

 

New call-to-action

 

Topics: Encryption, Key Management, VMware, vSAN

Securing FieldShield Encryption Keys with Alliance Key Manager

Posted by Paul Taylor on Dec 13, 2019 10:28:00 AM

The article below originally appeared on IRI's blog and is being re-published here to show Townsend Security's blog readers how Alliance Key Manager integrates with IRI FieldShield.

In a previous article, we detailed a method for securing the encryption keys (passphrases) used in IRI FieldShield data masking jobs through the Azure Key Vault. There is now another, even more robust option for encryption key management available, thanks to API-level integration between FieldShield and the Alliance Key Manager (AKM) platform from Townsend Security.

AKM provides the security of authenticated access to FieldShield passphrases from five different server options (below). They assure that only authorized users can access the AKM key server and obtain the keys to decrypt FieldShield-encrypted field data (column values).

But beyond authentication, AKM provides a complete encryption key management solution which includes: key server setup and configuration, key lifecycle administration, secure key storage, key import/export, key access control, server mirroring, and backup/restore. AKM also supports compliance audit logging of all server, key access and configuration functions.

How AKM Works with FieldShield

AKM is leveraged directly in FieldShield data masking jobs through field syntax that specifies the use of AKM. This syntax is “AKM:KeyName”, where “AKM:” invokes the use of the Alliance Key Manager, and “KeyName” (an example key name created by AKM but could be anything) is the name of a key created by AKM from which the value you want will be accessed.

In a FieldShield decryption job, key retrieval from AKM is performed via a secure TLS connection to the AKM server. Both the client (FieldShield user) and server (AKM) end-points are authenticated via TLS.

AKM can be deployed in: 1) VMware; 2) a cloud server in Microsoft Azure; 3) Amazon Web Services; 4) a privately managed Hardware Security Module (HSM); or, 5) a dedicated cloud HSM.

Setting Up

Prerequisites for using AKM to manage encryption key passphrases in FieldShield are:

  • A compatible Linux OS (a Windows version is planned)
  • A licensed IRI FieldShield installation for Linux under /usr/local/cosort
  • An AKM instance with connectivity to the Linux OS
  • A .conf file configured with the proper details to connect to AKM from the Linux OS
  • The Alliance Key Manager Linux SDK

To run FieldShield, obtain and install license keys from IRI. To run AKM, obtain a license from Townsend Security.

You will need to create a configuration (.conf) file to provide the connection information for AKM. The file includes the locations of certificates, logging options, and AKM connection properties.

The configuration file must be specified correctly, placed in the /usr/local/cosort/etc directory, and called keyclient.conf in order for key retrieval to succeed. Once that’s done, AKM will be accessible and work properly from any of the 5 deployment methods listed above.

You will also need to download the AKM Linux SDK. It contains the packages used to install the Linux libraries for AKM key retrieval used in FieldShield, and a sample keyclient.conf file (shown later).

FieldShield-AKM-Schematic

The AKM Linux SDK

FieldShield makes use of shared libraries provided by Townsend Security to integrate with AKM. More specifically, FieldShield uses the Linux C SDK, which provides tools for integrating C applications with AKM in Linux.

There are debian (or rpm, depending on Linux distribution) packages within the packages directory of the Linux directory of the Linux SDK that must be installed on your system for the FieldShield-AKM integration to work. Confirm (or put) the shared object library (.so file) in the /usr/lib directory.

The AKM Linux SDK contains packages for the following Linux platforms:

  • RHEL/CentOS 4, 5, 6, 7
  • SLE 11 SP2, SP3, SP4
  • Ubuntu 12.04, 14.04, 16.04

The Ubuntu 16.04 package in the AKM Linux SDK was tested and confirmed to work on Ubuntu 18.04.

Configuring AKM for FieldShield Use

AKM can be deployed in a variety of ways, including through cloud computing providers and local virtual machines. To setup AKM initially, follow the instructions in the documentation and log-in to the administrative menu to initialize AKM and create and manage certificates for user authentication.

VirtualBox_vm-1_30_10_2019_15_17_15

The AKM instance has a key server at port 6001, a port for key retrieval at port 6000, and a web interface at port 3886. This information must be put into the .conf file so that FieldShield can find the AKM and retrieve the key at decryption time.

After logging in to AKM, the IP address of the AKM instance can be found by typing ifconfig:

VirtualBox_vm-1_30_10_2019_15_11_51

Again, the default port is 6000 for AKM key retrieval. This should be written in the .conf file like this:

[ip]

KeyStoreIpPort=IP:Port

 

Where IP is the IP address of the AKM, and Port is the port number used for key retrieval. For example:

 

[ip]

KeyStoreIpPort=192.168.56.20:6000

 

A complete .conf file could look something like this:

 

; Configuration file for Universal Key Retrieval API
[log] Syslog=2 ; syslog output enabled StdErr=2 ; stderr output enabled
[ip]
KeyStoreIpPort=192.168.56.103:6000
ConnectTimeoutSecs=5 ; timeout value in seconds
ConnectTimeoutMSecs=0 ; timeout value in milliseconds
[cert]
VerifyDepth=1 ; certificate verify depth
TrustedCACertDir=/home/devon/Downloads/AKMPrimary_user_20191021/PEM
; CA Signed Cert directory
TrustedCACert=/home/devon/Downloads/AKMPrimary_user_20191021/PEM/AKMRootCACertificate.pem ;
CA Signed Cert (root cert)

ClientPrivKey=/home/devon/Downloads/AKMPrimary_user_20191021/PEM/AKMClientPrivateKey.pem
; Client Private key
ClientSignedCert=/home/devon/Downloads/AKMPrimary_user_20191021/PEM/AKMClientCertificate.pem
; Client Signed certificate

 

AKM Web Interface (webmin)

The AKM Server web interface (or webmin) monitors AKM performance and login or access attempts, and allows access to the AKM file browser. Many settings can be modified through a secure web interface:

webmin_AKMDashboard menu in the AKM ‘webmin’ web interface

From the file manager in the web interface, full file system access to AKM is available. In the /home/admin/downloads directory, all certificates and private keys should be available in zipped folders.

The certificates and private key should be in the .pem format and stored in the pem folder within the zip folder with the name of the user (rather than the admin1 or admin2 folders). The date value is the day of the month that the folder was created during initialization of the AKM server.

There is also the ability to access logs from AKM, set logging options and IP access control for the web interface, start/stop AKM, enable two-factor authentication for the web interface, check running processes in AKM, and more, all from within webmin.

Creating and Using FieldShield Keys

AKM provides options for creating, securing, and managing encryption keys through the AKM Administrative (Admin) Console app for Windows. Consult the AKM Crypto Officer documentation for current information on creating keys through the AKM Admin console app.

FieldShield only supports 256-bit symmetric keys from AKM, known as AES256 keys. This provides the best combination of security and performance.

AKM_console

Otherwise, select the rest of the options as desired and click the submit button to generate an encryption key. The output should be similar to this:

AKM-symmetric-key

Alternatively, when initializing AKM, a set of encryption keys can be automatically generated. A prompt appears at AKM initialization asking if an initial set of encryption keys should be generated or not.

The encryption keys you create in AKM at initialization, or through the AKM Admin Console application, will serve as passphrase values in FieldShield target /FIELD specifications that encrypt or decrypt values at the field or column level. For example, this statement:

/FIELD=(Encrypted_CCN=enc_aes256_fp_alphanum(CCN, AKM:AES256), TYPE=NUMERIC, POSITION=12, SEPARATOR=”|”, ODEF=CCAcctNum)

 

will encrypt the CCAcctNum in the 12th column of the source database table with 256-bit AES alphanumeric format-preserving encryption using the key created inside AKM under the name AES256.

What’s actually happening? FieldShield will use a base64-encoded stream of characters (a key value) retrieved (derived) from AKM that are associated with that AKM key name. That stream then gets used by FieldShield as a new passphrase value. 

It’s that new passphrase value that is then used by FieldShield (like before AKM) to derive the actual encrypt/decrypt key used at FieldShield runtime. So in other words, AKM involves a double derivation.  

If you want to use a different AKM key name in another /FIELD statement to differentiate your encrypt/decrypt keys, use the AKM Admin Console to create another key under a different name. Reflect that new name into your FieldShield job script in the appropriate /FIELD statement.

To decrypt in this case, a corresponding decryption statement in a subsequent FieldShield job script would need to specify the dec_aes256_fp_alphnum function with the same passphrase to restore the original CCAcctNum value. This method will work with any FieldShield-included encryption or decryption algorithm.

Example Operation

Here is a look at the FieldShield encrypt (left) and decrypt (right) job scripts used:

FieldShield-encrypt-and-decrypt

 

Note the syntax for specifying AKM use, which is “AKM:KeyName”. Make sure that the key name is properly spelled. Key names that do not exist on the connected AKM instance will result in a Tcpconnect error. 

AKM will attempt to retrieve the key 5 times, each with a timeout of 5 seconds, as specified in the default .conf file. If the key is ultimately unable to be retrieved, then the job will not run. 

Here is an image of data from this example that FieldShield encrypted using AKM:

 

Here is an image of the data after running FieldShield and the key in AKM to decrypt it:

 

 

The bottom line: Using AKM to store the passphrases used for decrypting data in FieldShield dramatically enhances encryption key security and industry compliance levels for data masking operations. Through key authentication and secure key management facilities, AKM can help FieldShield users close off more potential gaps in enterprise data security.

Topics: Alliance Key Manager, IRI FieldShield

IRI FieldShield Supports Townsend Security’s Alliance Key Manager

Posted by Luke Probasco on Dec 12, 2019 12:00:00 AM

Multi-Source Data Masking Software Now Encrypts and Decrypts with Keys in Cloud, VMware, or HSM Platforms

FieldShield AKM SchematicInnovative Routines International (IRI), Inc., a leading provider of data masking software, and Townsend Security, a leading authority in data privacy solutions, have enabled IRI FieldShield to use encryption keys stored and managed in Townsend Security’s Alliance Key Manager servers. The integration gives DBAs and “data security governance” professional a robust, compliant way to encrypt or decrypt data at rest in many sources.

A multi-year rise of hacking incidents and privacy law violations has driven demand for data-centric security. “Masking data in FieldShield using AES encryption, and protecting those encryption keys with Alliance Key Manager can help mitigate the risk of data breaches, and protect an organization’s brand and reputation,” observed Patrick Townsend, Founder & CEO of Townsend Security. “This is especially relevant given laws like the California Consumer Privacy Act (CCPA), which contemplates encryption of sensitive data in order to avoid class action lawsuits,” he added.

FieldShield classifies, discovers, and masks personally identifiable information (PII) in relational and NoSQL databases, and a wide range of structured file formats on-premise or in the cloud. Multiple encryption functions -- including format-preserving encryption -- are among its 15 masking categories. FieldShield users can assign a unique passphrase to serve as an encryption key for one or more data classes (columns or fields). The keys allow the restoration of original values from ciphertext when used with the corresponding decryption function.

Alliance Key Manager provides the security of TLS-authenticated access to FieldShield passphrases stored in VMware, Microsoft Azure, Amazon Web Services, or a private or dedicated Hardware Security Module (HSM). This assures that only authorized users can access the key server and obtain the keys to decrypt.

FieldShield users can generate the keys using either the native command line or web interface to Alliance Key Manager. “Centralizing storage of FieldShield passphrases through Alliance Key Manager not only gives our users FIPS 140-2 compliant key security, but also a more convenient way to manage their encryption keys,” according to IRI developer Devon Kozenieski.

About IRI
Founded in 1978, IRI develops fast data management and data-centric security software through 40 cities worldwide. IRI’s proven data manipulation engine -- and its free Eclipse job design environment -- provide uniquely price-performant and versatile data lifecycle solution software for big data and BI/DW architects, data security and compliance teams, DBAs, and developers. Gartner recognizes IRI FieldShield, CellShield, DarkShield as static and dynamic masking solutions for structured, semi-structured, and unstructured data sources.

Topics: Alliance Key Manager, Press Release, IRI FieldShield

Seamless Encryption Key Management for Microsoft SQL Server 2019 Standard

Posted by Luke Probasco on Dec 11, 2019 12:00:00 AM

Alliance Key Manager supports Transparent Data Encryption (TDE) in Microsoft SQL Server 2019 Standard Edition. 

Encryption & Key Management for SQL Server - Definitive GuideTownsend Security today announced Alliance Key Manager, its affordable FIPS 140-2 compliant encryption key manager, supports Microsoft SQL Server 2019 Standard Edition.  Users of Microsoft SQL Server Standard Edition can now easily meet compliance (PCI DSS, GDPR, CCPA, etc.) and protect private data like customer PII and intellectual property without modifying existing applications or the database.  By using the database’s Transparent Data Encryption (TDE), coupled with Townsend Security’s Alliance Key Manager for SQL Server, organizations can protect their private data at a lower cost.

Alliance Key Manager, a FIPS 140-2 compliant encryption key management solution, allows enterprises to effectively encrypt data and meet security requirements in less time with a flexible, centralized offering. The solution provides full life-cycle management of encryption keys for a wide variety of applications, including Microsoft SQL Server Enterprise and Standard editions.

“We were pleased to see Microsoft announced that SQL Server 2019 Standard Edition would support TDE and EKM, bringing encryption and proper key management without application changes to their popular Standard Edition. By lowering the technical and financial bar to protecting private data, companies of all sizes can easily protect private information,” said Patrick Townsend, Founder and CEO of Townsend Security.  “Since the initial release of TDE and EKM in Microsoft SQL Server Enterprise ten years ago, we have been proud to offer an affordable, industry leading solution - and now extend that to SQL Server Standard users.”

Microsoft SQL Server users can deploy Alliance Key Manager as a hardware security module (HSM), VMware virtual machine, or in the cloud as a native AWS EC2 instance or Microsoft Azure virtual machine. Alliance Key Manager supports seamless migration and hybrid implementations, providing Enterprise’s with options for their high availability strategy. 

“By providing both on-premise and cloud solutions, Enterprise's can easily rely on a centralized key manager to protect their data regardless of where it resides or will in the future. Further, while key management solutions offered by CSPs provide convenience, they leave an organization’s encryption keys accessible to third-party administrators - increasing the risk to their security posture,” continued Townsend. “Our simplified licensing model that avoids charging by the number of endpoint databases and number of keys, makes the upgrade to SQL Server 2019 Standard Edition a no-brainer for many Microsoft users. Microsoft has really done well by its customers.”

Alliance Key Manager for SQL Server is available for a free 30-day evaluation.

Encryption

Topics: SQL Server, Press Release

Living on the Edge

Posted by Luke Probasco on Dec 9, 2019 8:02:59 AM

As the world of edge computing becomes more distributed, billions of connected devices live on the edge, which need to be secured, managed and automated. For many businesses, this means deploying a VMware and cloud infrastructure and using VMware vSphere, for example, to encrypt private information.  While it is easy enough to encrypt data on the edge, key management has proven to be a challenge.

Podcast: Living on the EdgeI recently sat down with Patrick Townsend, Founder and CEO of Townsend Security to talk about deployments on the edge, achieving a strong security posture with key management, and other ways that businesses can better secure their private data. 

Patrick, Townsend Security has had key management solutions for VMware for a number of years. What is special about Edge computing?

Well, Edge computing is fascinating.  It isn’t really that different from how we currently think about computing and data security in the cloud or on-premise. By moving applications closer to the end user, Edge computing brings a better, faster user experience to the end user.  So, if you are running an application in the cloud, perhaps in a retail or healthcare environment, the delay over the network can degrade the experience or inhibit the ability to collect a lot of data, for example, from IoT devices. Edge computing is a natural evolution of making things more efficient with a better user experience.  However, Edge computing also brings new security challenges too. If we are collecting data that is sensitive in nature, it is just as sensitive out on the Edge as it is in our data center.

So what is special or different about Edge computing from a security point of view?

There are a number of challenges.  How do we deploy applications in a secure way?  How do we do application patching? One of the most important security efforts that we make is to keep everything patched and up to date.  When you have Edge computing, there are a lot more environments in distant locations. The security process really becomes more complex when we move to Edge computing.  Those challenges can be solved, but they represent things that we really need to pay attention to.

At the same time, as we are pushing applications out to the Edge, compliance regulations are getting more stringent.  Just look at the California Consumer Privacy Act (CCPA) and GDPR before it. Both of those are making the protection of sensitive data much more important.  The risks of data loss to an organization are escalating, and at the same time, we are pushing data to more and more places - so we have a big security challenge that we need to step up to.

Protecting data data in a centralized IT data center is a challenge, but one that we are used to.  Edge computing brings unique problems with it. For example, let’s say you pushed some data out to a dozen Edge computing environments.  You’ll need to encrypt that data to meet compliance, but where is the key manager? Is it back at your central on-site data center? If so, you may have just lost the advantage of pushing everything to the Edge.  Encryption and key management also need to be pushed out to the Edge in order to meet security best practices, just as you would in on-premise environments.

In terms of the cloud, can you give some examples of Edge environments?

Sure.  In the Cloud, we try to deploy applications close to the end-customer which gives us better response times and a better customer experience.  So, in AWS or Azure, we can move applications closer to where the end-customer lives. CSPs are making this easier by automating some of the deployment tasks.  By pushing applications to the Edge, you get really close to the physical location of the customer. For example, if you live in Sweden, you don’t need to connect to a key manager that is sitting back in Silicon Valley.  You should connect to a key manager that is near you. When moving to the Edge, encryption and key management need to move with you.  

By the way, you may have noticed that VMware has been working much more closely with Cloud Service Providers to provide true VMware infrastructure on cloud platforms.  For example, on Azure, you can deploy a full bare metal stack - VMware in the cloud and managed the way you want. But again, when you push those VMware environments to the Edge, what about the encryption key management?  The good news is, that with our new Alliance Key Manager for Edge Computing, we can make that easy and affordable to accomplish.

How about some examples of non-Cloud Edge environments?

Almost all of us use VMware on premise, and it isn’t really all that different to what we are currently doing.  Think of a medium or large retail organization with hundreds or thousands of storefronts. When you walk into the store, there is a very good chance that there is a local VMware node out there that is running many applications.  Think about a large box store with retail, pharmacy, and automobile services. The VMware environment in a single store might support dozens or hundreds of specialized applications. How do you protect data in that environment? Sometimes when we think of Edge computing we think of “just” the cloud, but this isn’t the case.  Again, just like with the Cloud, it doesn’t need to be difficult to push encryption and key management to the Edge, it just needs to get done.

How do compliance requirements impact Edge computing?

Well, compliance requirements, which are getting stronger as we speak, make the challenge of Edge computing even more important to address.  If you think about it, when we have centralized IT processing, we have one environment to protect. It may be a very data rich environment with sensitive data that cybercriminals may want to steal - but it something that isn’t that difficult to protect.  What if we have 500 of those environments out there across on-prem and cloud locations? The attack surface has been dramatically increased. The data is still important and still a target, but now we have a lot more to deal with. I think people are waking up to the security challenge and need to focus just as much effort on securing data at the Edge as we do at the centralized, on-premise data center.  We have to deploy all of our security defenses at the Edge in the same way that we do with core IT systems. The data is the same.

How is Townsend Security trying to help resolve this challenge.

The barriers to getting Edge data protection right are only party technical.  Key management vendors have not adapted to the new reality of the Edge. The huge expense of traditional KMS solutions is the primary barrier to protecting data at the Edge.  For small businesses, they can even be completely priced out of the market around doing encryption and key management right. Large organizations have been priced out as well.  When there are hundreds or thousands of endpoints that need protected, vendors need to step up to help these businesses secure their data.  

At Townsend Security, we have two distinct advantages.  First, our Alliance Key Manager for Edge Computing solution is virtualized, automated, and VMware Ready.  For example, our key management solution has been certified by VMware for vSphere key management - to protect VMs and vSAN storage.  We are seeing many organizations deploy VMware at the Edge. Second, we have the ability to flexibly license and price our solutions for the Edge.  Enterprises can now deploy full VMware VM encryption and key management at Edge with an affordable solution.

To hear this conversation in its entirety, download our podcast Living on the Edge and hear Patrick Townsend further discuss deployments on the edge, achieving a strong security posture with key management, and other ways that businesses can secure their private data.

Podcast: Living on the Edge

Topics: Encryption Key Management, Alliance Key Manager for Edge Computing

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all