+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

vSphere Encryption—Creating a Unified Encryption Strategy (Part 1)

Posted by Ken Mafli on Oct 22, 2019, 6:00:00 AM

What is VMware’s vSphere Encryption?

VMware’s vSphere encryption, first introduced in vSphere 6.5, enables the encryption of virtual machines (VMs) and vSAN. vSphere’s encryption protects your existing VMs, new VMs, vSAN clusters, as well as associated files. It is relatively easy to set up and with the use of a compliant key management server—secure.

 

(Part one of this series deals with VM encryption. Part two will cover vSAN encryption)

A Unified Way to Encrypt VMs

VMware’s vSphere encryption

 

“Dance like nobody’s watching. Encrypt like everyone is.”
~Werner Vogels, CTO at Amazon.com

Data is a bedrock asset for today’s enterprise business. Its value is too great to ignore. Data security, then, is mission critical for those looking to maintain brand integrity, intellectual property confidentiality, and customer trust.

VMware vSphere 6.5 gave its users powerful data security tools; among them AES-NI encryption. The reason this is great news: instead of an ad-hoc approach to encrypting sensitive data where individual sources of encryption are found for each type of database or application, you can now encrypt directly in VMware’s hypervisor creating a unified source for encrypting and managing that encryption. And through their KMIP interface, managing your encryption keys is pretty painless. But more on that later.

vSphere encryption, then, allows the enterprise business to uniformly manage their encryption for both VMs and vSAN and ensure that all sensitive data within VMware is secured. This enables companies to create an encryption strategy for their sensitive data. Let’s look at some of the main advantages, specifically VM encryption, that vSphere encryption provides.

 

Expert Weigh-in:
The huge benefit of vSphere Encryption is the fact that data is encrypted when it leaves its source. This results in data traveling encrypted to its destination, allowing for the highest level of security, all while maintaining simplicity in terms of management and configuration.
~Duncan Epping, Chief Technologist HCI, VMware

 

Expert Weigh-in:
A major advantage of VM Encryption is that it is Guest OS agnostic. Whether the virtual machine is Windows, Linux or any of the other operating systems supported in vSphere, the encryption is the same. There’s no change to the guest OS and no “in guest” monitoring or configuration. Additionally, reporting on which virtual machines are encrypted or not is just one line of PowerCLI!
~Mike Foley, Staff Technical Marketing Architect - vSphere Security

 

The Advantages of Using VM Encryption

Advantages of VMware’s vSphere encryption

 

With VMware vSphere 6.5 and up, you are able to encrypt individual VMs. The main difference between VMware encryption and other encryption methods is ease

vSphere Encryption Key Management Webinarof management. As VMware puts it, because “VMs are treated as objects that can have a policy applied to them, there is no need to manage them individually.”

Here are some of the advantages that this brings:

  • Encryption is configured and managed at the hypervisor level, not within an individual VM.
    • vSphere encryption is agnostic in regards to what is stored within the VM.
    • There are not multiple encryption products for each guest OS, database, or application.
  • Encryption is policy based. Applying it, then, can be done to as many or few VMs that you want.
  • You can bring your prefered key manager to manage your encryption keys. Since vSphere encryption is KMIP 1.1 compatible, you are free to use a FIPS 140-2 compliant encryption key manager, like Alliance Key Manager.

Expert Weigh-in:
One thing few people think about with encryption is disaster recovery. Because of the reliance on an external KMS, you can place replicating Key Managers in various locations. vCenter will see them as a “KMS Cluster”. Should your primary site go down and you need to recover encrypted VM’s it’s as simple as connecting a new vCenter to the KMS cluster and adding the VMs to the inventory. The impact of IT operations is minimal. 
~Mike Foley, Staff Technical Marketing Architect - vSphere Security

 

Expert Weigh-in:
Policy Based encryption and Managed Encryption keys means the difference between an organization protecting their information and exposing their information. Removing the chance of end-users to not-encrypt information means the Business can have assurances they can take to the bank, which is essential in a world of compliance, GDPR, and not to mention security risks or exposure.
~Christopher Kusek, vExpert and Tech Evangelist

 

Now that we know some of the advantages of using VM encryption, let’s looks what is (and is not) encrypted. Why? VMware did a great job making sure all sensitive information can be secured. The list below will go to illustrate that.

 

What Is/Is Not Encrypted

What can be encrypted in vSphere

 

According to VMware, here are the items that can be encrypted (and those that can’t) with vSphere’s VM encryption:

What can be encrypted:

  • VM files
    • Note: Most VM files can be encrypted. This set of files can include the NVRAM, VSWP, and VMSN files. If you use the vSphere Web Client to create an encrypted VM, all virtual disks will be encrypted as well.
  • Virtual disk files
    • Note: Data in an encrypted VMDK file is never written in plaintext to storage or a physical disk, and is never transmitted in plaintext. The VMDK descriptor file, however, is not encrypted and contains a key ID for the key encryption key (KEK) as well as the encrypted data encryption keys (DEKs).
  • Host core dump files
    • Note: When you enable encryption mode on an ESXi host the core dump is always encrypted.

What is not encrypted (and why):

  • Log files
    • Why: these are not encrypted because they contain no sensitive data.
  • VM configuration files
    • Why: the VM configuration information, stored in the VMX and VMSD files, contains no sensitive data.
  • Virtual disk descriptor files
    • Why: the descriptor file is omitted from encryption/decryption functions to support disk management without a need for an encryption key.

 

Expert Weigh-in:
I like vSphere encryption because there’s nothing in the guest OS or at the user-level that might go wrong. vSphere encryption encrypts what needs to be encrypted - your company’s data - that’s stored inside the VM disk.
~David Davis, vExpert and vSphere video training author at Pluralsight.com

 

How it Works

Now that we know some of the advantages of VM encryption and what can and cannot be encrypted; here is the last reason to use vSphere to create a unified encryption strategy—it is easy to set up. Here is a quick video showing how easy it is.

 

Here are those steps for those that would like to just read it:

  • First, install and configure your KMIP compliant key management server, such as our Alliance Key Manager, and register it to the vSphere KMS Cluster.
  • Next, you must set up the key management server (KMS) cluster.
    • When you add a KMS cluster, vCenter will prompt you to make it the default. vCenter will provision the encryption keys from the cluster you designate as the default.
  • Then, when encrypting, the ESXi host generates internal 256-bit (XTS-AES-256) DEKs to encrypt the VMs, files, and disks.
  • The vCenter Server then requests a key from Alliance Key Manager. This key is used as the KEK.
  • ESXi then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk along with the KEK ID.
  • The KEK is safely stored in Alliance Key Manager. ESXi never stores the KEK on disk. Instead, vCenter Server stores the KEK ID for future reference. This way, your encrypted data stays safe even if you lose a backup or a hacker accesses your VMware environment.

 

Expert Weigh-in:
vSphere encryption makes securing your data easier than I think most of us thought possible. With vSphere encryption all you do is right-click on a VM and apply the encryption storage policy. Boom! Encryption is done!
~David Davis, vExpert and vSphere video training author at Pluralsight.com

 

It really is that easy. Not only can govern your encryption at the hypervisor layer, deploy standards based AES encryption on a per VM basis (allowing you to secure only those workloads that require it), but you can do so quickly. It is a great encryption option for any business.

Final Thoughts

VMware vSphere VM encryption creates a unified strategy for protecting your sensitive data within vSphere by using the hypervisor to perform the encryption. This means that you do not need to first consider what is in the VM (guest OS, specific databases, etc.) in order to encrypt it. According to VMware, this yields the following benefits:

  • No modification to OSs within VMs
  • No changes needed to existing applications
  • No specialized hardware or infrastructure required
  • Policy-based enforcement that is supported by vSphere

All this and more means that it is easier than ever to secure your company’s sensitive data. Once you have configured your vSphere vCenter Server to enable encryption, simply choose which VMs you want to encrypt and your data is secured. It’s that easy.

According to RiskBased Security, for the first half of 2019, over 3,800 breaches were reported, breaching over 4.1 billion records. When you compare that to the first half of 2018, “the number of reported breaches was up 54% and the number of exposed records was up 52%.” With the pace of breaches only accelerating, the time to create a unified encryption strategy for your sensitive data is now.

 

New call-to-action

Topics: VMware, vSphere, vSphere Encryption

California Consumer Privacy Act (CCPA) - Things You Need to Know

Posted by Patrick Townsend on Oct 17, 2019, 4:00:44 PM

California Consumer Privacy ActThe new California Consumer Privacy Act (CCPA) is a really big deal. Almost no one is ready for it, so you are not alone if you are just getting familiar with the CCPA requirements. Let’s dig into it and try to translate the law (California AB 375 and related statutes) into understandable language. I will also make some recommendations on things you can do right now to get started.

Some history might help

The law itself (AB 375) passed in June of 2018 is a pretty easy read. Interestingly, it directly points to the social and political factors that lead to the creation of the law. The increasing number of data breaches and the Cambridge Analytica scandal are specifically mentioned in the law - but if the law seems a bit rushed and incomplete, that’s because it is!

California is one of those states that make it relatively easy for citizens to gather signatures and put initiatives directly to the people. In early 2018 that is exactly what happened. An initiative related to consumer privacy gathered enough signatures to make it on the California ballot and this proposed new law frightened the technology companies located both in California and outside of the state.

In response to the initiative, the California legislators struck a deal with the initiative proponents. If the legislature could pass a strict new consumer privacy law in short order, the initiative proponents agreed not to put the initiative on the ballot - and that is what happened. Probably breaking speed records for such legislation, the California legislature created the new law in just a few days, and the governor signed it. The initiative was not placed on the ballot.

The speed of the passage of the law had one unfortunate side-effect: There is a lot of ambiguity in the law. You are going to be scratching your head about some of the requirements and definitions in the law. What is missing or undefined is almost as significant as what is in the law. The law goes into effect on January 1, 2020 but the legislature has promised to provide additional guidance in the Fall of 2019, and new clarifying law by June of 2020. More on this below.

The CCPA law, where to find it.

Podcast: CCPA - What You Need to KnowReading regulations will usually make your eyes roll back in your head. In this case the California law is a pretty easy read. I highly recommend that you do this. I read several summaries of the law in business and technology journals, but learned some important facts when I subsequently read the law directly. Here is the link (there is a PDF version available for download).

Just remember my previous comment about future clarifications of the law. There will be changes and I will try to keep you up to date. You should also check the CCPA website for updates.

Is my Organization required to meet the law? 

If you collect data on people who are in California, and meet the minimum criteria (see below), and are not explicitly excluded, you must meet the requirements of the new law. Notice that I did not say “California citizen”, but people who are in the state at the time of data collection. You are not exempt if your organization resides outside of California. If you collect data on people in California, assume you are covered by the law.

If you meet any of these criteria, you are required to meet the new CCPA law:

  • You have $25 Million or more in annual revenue
  • You collect information on 50,000 or more people
  • You derive 50 percent or more of your revenue selling personal information to third parties 

The law applies to both public and private organizations. I often hear people tell me that they are not covered by regulations because their company is “private.” Don’t make this mistake. Being a private organization does not exempt you from the new California law.

There are some exclusions in the law: If your organization is already covered by equivalent privacy regulations such as HIPAA, GLBA, and others, you may be exempt. Don’t be fooled into a sense of complacency about this. The CCPA has privacy regulations that are not covered under those laws. If you think you are exempt, I would highly recommend that you get legal advice on this point.

When does it take effect?

The law takes effect on January 1, 2020. Here are some important points to consider:

  • The law covers data collected for the previous 12 months (from January 1, 2019).
  • There will be clarifying guidance in the Fall of 2019.
  • The law is likely to be amended for clarification by June of 2020, but it is not likely to be less restrictive.
  • The law covers a much broader set of information than any other regulations, including GDPR.

I’ve heard people say that they are not worried because they meet GDPR requirements. That is a big mistake. There is certainly some overlap with GDPR, but some of the CCPA requirements are different and much broader. For example, what is considered “personal information” includes more and different information than GDPR.

What rights are granted to consumers?

Here is a short list of the rights granted to consumers under the new law (please read the law directly):

  • The right to opt-in to data sharing BEFORE you collect and share the information, and the right to opt-out of data sharing at any time. The option to opt-out of data sharing must be respected for 12 months, and subsequently there must be an explicit opt-in process before sharing.
  • The right to opt-out of data sharing using a web page or phone number (other methods may be added to these).
  • The right to a clear privacy statement on your website that specifically addresses the CCPA.
  • The right to know the intended uses of the information that is collected.
  • The right to know the categories of information you collect.
  • The right to know the specific information you collect.
  • The right to know the sources of the information that you collect (websites, third parties, etc.).
  • The right to know to whom you sell or share information.
  • The right to receive a copy of the information you collect in a user friendly format.
  • The right to have you delete their information.
  • The right to deletion of their information from any third party service providers with whom you shared the data.
  • The right to non-discrimination in terms of your services if they opt-out.
  • The individual and class action right to sue if sensitive data is lost and is not encrypted, and for other reasons (please read about encryption below).

You have 45 days to respond to a consumer’s request. With proper notice this can be extended another 45 days (90 days in total).

Try to make a sincere effort to understand the nature and intent of these requirements. The law is written to address those who try to be “cute” about meeting the requirements, and the penalties go way up for intentional avoidance of the requirements.

Note that you have the obligation to verify the identity of the consumer who is exercising these rights. Unfortunately, there is not enough guidance on the proper ways to do this. Be aware, however, that you cannot use any information provided by the consumer that is a part of the privacy request for any other purposes! 

What information does it cover?

The personal information covered by the CCPA is quite broad and extends into areas not covered under GDPR and other regulations. The current definition of sensitive consumer data includes:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
  • Personal and commercial behaviors, and inferences from them.
  • Characteristics of protected classifications under California or federal law
  • Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
  • Biometric information
  • Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory or similar information
  • Professional or employment-related information
  • Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

 This is an amazing list of data items that goes far beyond what we see in other regulations. Many companies have done a lot of work using Artificial Intelligence and Machine Learning to make inferences about consumer behavior. I hope you are not missing the fact that this type of inferential and derived data is covered under the CCPA!

What are the penalties?

The potential penalties fall into two categories: Those imposed by the California Attorney General, and those imposed by newly enabled consumer litigation.

First, let’s look at the penalties that can be assessed by the AG. The penalty range starts at $2,500 per violation. Many people think this amount is for each record that is lost or in non-compliance. It is easy to see that this could expensive very quickly. However, if the AG finds that you are “intentionally” in violation of the CCPA the penalty increases to $7,500 per record. One way to trigger this level of penalty is to ignore a formal notice by the AG that you are in violation of the CCPA. Never ignore this type of notification! The higher level of penalty can trigger an existential crisis for many companies.

The second area of penalty relates to newly enabled litigation by individuals. Under the CCPA individuals have a right to bring direct legal action against an organization. This includes the ability to bring a class action against a company. Other than fully meeting the privacy requirements of the CCPA there is no way to limit your exposure to this type of litigation. The CCPA explicitly prohibits the use of arbitration clauses and other means of contractually reducing your exposure. You have to be notified about an impending action, and you have 30 days to correct the action and respond.

These two areas of exposure should motivate you to get a plan in place to fully meet the CCPA privacy requirements, and start executing on the plan. Time is short. 

Am I required to encrypt sensitive data? 

If you want to avoid the risk of direct or class action litigation related to data loss you should encrypt the sensitive data. Individual and class action litigation only applies to unencrypted sensitive data that is disclosed or lost, for whatever reason. The CCPA is clear on the need for encryption. If you lose unencrypted sensitive data this is direct evidence that you violated your duty to provide reasonable security procedures and practices to protect the sensitive information. See section 1798.150(a)(1). 

Most modern relational and Big Data databases provide an easy path to encryption. Find where your sensitive data is stored, prioritize an encryption strategy, and move it forward. This effort may require an upgrade to your database systems to a version that supports encryption. Understand the budget requirements and add the costs for encryption key management.

What should I do now? 

Although there will be additional guidance in late 2019, and there will likely be clarifying legislation in early 2020, you should not wait to get started. There are a lot of things you will need to do to meet the CCPA privacy regulations. Here is a short list that should help you get started. There is more to do, but these will be critical steps:

  • Identify and document all of the sensitive information that you collect or derive from interpretations of the data. Document the sources of this data, how you collect it, the individual items, and then classify the data.  Pay special attention to the categories of data outlined above. In addition to your internal IT systems be sure to include your hosted and cloud applications, and your web-based SaaS systems.
  • Identify all of the third parties with whom you share information. Be sure to document exactly what information is shared.
  • Review your website to ensure you meet the explicit requirements of the CCPA. You will need to update your privacy statement per the CCPA requirements. 
  • Institute processes for handling consumer privacy requests. This will probably require new IT reporting applications as well as human processes for responding to requests. Be sure to keep an audit log of all requests from consumers, and your response.
  • For all service providers who receive information that you share, review your service agreements. Revise those agreements to bind the service provider to the new CCPA regulations. If service providers resist new contract terms, or are non-responsive, have a plan to replace those service providers. Since many service contracts renew on an annual basis, start this process now.
  • Encrypt the data and use good encryption key management. Your only safe-harbor from litigation in the event of a data loss is encryption. The time to get started is right now.

 Disclaimer

 Nothing in this article constitutes legal advice in any way. Consult with a qualified attorney for any legal questions or advice. The new California Consumer Privacy Act will have new guidance before the activation date of January 1, 2020 and is likely to be modified by additional legislation. Please refer to the official California state website for more information. 

Podcast: CCPA - What You Need to Know

Topics: Compliance, CCPA

Saving Money with VMware vSAN Encryption

Posted by Patrick Townsend on Oct 16, 2019, 7:30:02 AM

You may be using VMware’s vSAN technology and not even know it. vSAN is the core technology in most of the Hyper-Converged Infrastructure (HCI) solutions on the market today. If you are running VMware for your on-premise or cloud infrastructure, you have vSAN at your fingertips. So, how can you leverage vSAN to meet compliance regulations and save money? Let’s take a deeper dive.

First, why is it important to encrypt our data?

Encryption and Key Management for VMware - Definitive GuideAlmost all compliance regulations require that you protect the sensitive information of your customers, employees, and service providers. This includes the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the EU General Data Protection Regulation (GDPR), the New York Department of Financial Services act (23 NYCRR 500), the Gramm Leach Bliley Act (GLBA), and many, many others. As we now know a major data breach that loses unprotected sensitive data will have severe impacts on any organization whether public or private. Encryption is now a core requirement of any security strategy, so how do we get there?

Can’t I use the native encryption facility in my database?

Almost all commercial and open source databases provide a path to using encryption that is built right into the database. Unfortunately, getting access to the encryption feature usually means upgrading to the Enterprise version of the database—and this can be an expensive proposition. This is true of Microsoft SQL Server, Oracle Database, MySQL, and many others. Of course, an upgrade to the Enterprise version usually gets you a lot more capability than encryption. An upgrade brings a lot of additional value, but the reality is that a database upgrade is beyond the budget of many small to midsize companies. So what can you do?

How can vSAN encryption help?

Beginning with version 6.6, VMware vSAN provides for built-in encryption support and a link to vSphere for proper encryption key management. By default, vSAN virtual disks are not encrypted. However, it is really easy to configure a vSphere KMS Cluster, deploy a key management server (KMS), and turn on vSAN encryption. You don’t need to reload your vSAN virtual disks and it is fast to deploy. With very little time and effort you can achieve encryption at rest for your database and other files.

To enable vSAN encryption you only need a key management system that supports the OASIS standard Key Management Interoperability Protocol (KMIP). Our Alliance Key Manager fits the bill perfectly, and there are other solutions. You just deploy the key manager, grab the key manager certificate and private key, install them on your vCenter cluster, configure a KMS Cluster in vSphere, and enable encryption. Voila, you are done in a short period of time.

Do you know what else is cool? You can use the same KMS Cluster configuration to encrypt your VMs and to enable VMware vTPM in your virtual machines. That’s a lot of capability with very little time, effort and expense.

Is it risky to run my database in a vSAN volume?

The VMware vSAN facility is mature and now trusted by large and small Enterprises. As mentioned above, vSAN is a core component of almost all of the major Hyper-Converged Infrastructure (HCI) solutions. You may be using vSAN and not even be aware of it. There is also some good news—VMware has published a number of solution briefs and architecture guides to help you deploy Oracle Database, Microsoft SQL Server, and other databases directly on vSAN. Of course, you need to be aware of high availability requirements for both vSAN and for your KMS, but the existing vSAN documentation is quite good on this front. And deploying a high availability instance of our Alliance Key Manager solution is easy, too. More information here.

Today, you can confidently deploy your relational and NoSQL databases onto encrypted vSAN virtual disks safely and easily.

Saving money with vSAN encryption

We all live with constraints on our IT budget and our management team wants to see a good return on our IT investments. If you find that you don’t have the budget needed to upgrade your database for native encryption, deploying vSAN encryption is a great alternative. vSAN is a VMware facility that you already have and adding a key management solution is now very affordable. You can deploy our affordable Alliance Key Manager solution and avoid future upgrade and build-out costs. vSAN encryption and good key management is within the reach of every IT budget.

Ouch, I have vSAN but I don’t have a place to run a KMS

VMware vSAN is popular in many cloud and edge computing environments, but you might not be deploying VMs in that environment. Our key manager runs as a VMware virtual machine, so this can be a bit problematic in these environments. But there is an elegant solution to this—run the key manager in the cloud. For example, you can launch our Alliance Key Manager as an EC2 instance in AWS, or as a virtual machine in Azure, and use it to protect your vSAN volumes in edge environments. Alliance Key Manager works the same way in the cloud as it does as a VMware VM. And you can use one key management instance to serve multiple vSAN edge deployments. Problem solved!

Some precautions

There are some common sense precautions related to vSAN encryption. One is to be sure that you don’t deploy your KMS virtual machine onto a vSAN volume that it is protecting. If you have issues with the vSAN volume you don’t want it to impact the KMS, and vice versa. Also, as in all production environments where you deploy encryption and key management, be sure to deploy a failover key management server. It is easy to do with Alliance Key Manager and it will help you recover quickly and easily.

Alliance Key Manager for vSAN

Alliance Key Manager is certified by VMware for use with vSAN and vSphere encryption. All versions of vSAN and vSphere that support encryption are certified. In addition to VMware certification, Alliance Key Manager is validated to meet the PCI Data Security Standard (PCI-DSS), is KMIP compliant, and is FIPS 140-2 compliant. You can run Alliance Key Manager as a VMware virtual machine, as a cloud instance (Azure and AWS), in a Docker container, or as a hardware security module (HSM). No charge evaluations are available directly from the Townsend Security website, and we welcome partner inquiries. More information here.

New call-to-action

Topics: Encryption, VMware, vSAN

Don’t Let Your Application or Database Limit Your Encryption Strategy

Posted by Luke Probasco on Sep 23, 2019, 8:37:27 AM

Historically, encryption and key management have been deployed at the application or database level. There are even several databases who’s “Enterprise” edition (like Microsoft SQL Server or MongoDB, for example) include options for encryption and external key management built right in the database. Unfortunately, these types of databases are the exception, rather than the rule. If you were to examine an organization's IT infrastructure, you are more likely to find a wide variety of databases and applications, some natively supporting encryption, some not, and many containing unprotected private information or personally identifiable information (PII). Simply put, their encryption strategy has been limited due to cost and resources required to properly protect private information. 

Podcast: Don't Let Your Application or Database Limit Your Encryption StrategyFortunately, these same enterprises have deployed VMware infrastructure, and starting with vSphere 6.5 and vSAN 6.6, are able to encrypt sensitive workloads in VMware using the advanced cryptographic features in vCenter. To put it a little more simply, businesses can protect their sensitive information in their internal applications and databases that don’t natively support transparent encryption with tools offered by VMware.

I recently sat down with security expert and CEO, Patrick Townsend, to talk about how enterprises can leverage VMware’s vSphere and vSAN to encrypt private data - regardless of whether their applications or databases support encryption. 

Hi Patrick. Let’s jump right in. With the introduction of vSphere encryption in 6.5 and vSAN 6.6, it has become much easier for businesses to encrypt private data. In the past they have relied on encryption at the application level or used the encryption that comes with their database. With so many enterprises deploying VMware, they no longer need to let their application or database limit their encryption strategy.

That’s absolutely correct. There are databases like Microsoft SQL Server and MongoDB EA, for example, that have encryption built right in - which makes it easy. But there are other times when encryption can be much more difficult. SQL Server Standard edition and the Community edition of MySQL, for example, do NOT support encryption. So, you have these widely used databases, with lots of unprotected data because that can be a challenge to encrypt. Using vSphere and vSAN encryption is a great way to address these gaps in an organization's encryption strategy with industry standards-based encryption. 

Sometimes the barrier to encryption is the cost of upgrading databases to “Enterprise” editions. Almost all of us are running VMware in our infrastructure anyway, so in many cases we already have the tools we need - the encryption support is there, we just need to use it. VMware even provides excellent guidance for encrypting databases, like Oracle and SQL Server, for example.

So, one of the most obvious questions. How is performance?

This is always a concern that people bring up. I can say that VMware has done a great job with performance in both encrypted VMs and vSAN - and performance continues to improve. These days, you can even deploy a large database on vSAN. This is a technology that has matured and gained the trust of customers, and they are adopting it at a rapid rate. There is also some really good material from VMware about performance expectations - white papers, solutions briefs, etc. Furthermore, both vSphere and vSAN take advantage of the Intel AES-NI on-chip accelerator for encryption, which provides a great performance boost.

Of course the key manager is the critical component that ensures the encrypted data stays encrypted. Without proper key management, it is like leaving the keys to your house under the welcome mat. What should our readers be looking for in a key manager?

Here is something that I think VMware did right. You must use a key manager in order to activate vSphere encryption of VMs or vSAN encryption. Within vSphere you are able to create a KMS cluster, define failover key managers, multiple KMS clusters, etc. They did a great job. Furthermore, VMware based their interface on the Key Management Interoperability Protocol (KMIP) industry standard. Other databases vendors, for example, allow local storage of encryption keys. That is really such a BAD security practice, so I am glad that VMware saw implications of that. If you are going to use VMware encryption, you are going to use proper encryption key management and that will be much better from a security perspective. I also think that this reflects on VMware as a company and their concern for their enterprise customers.

What to look for in a key manager? All enterprise level key managers are validated to FIPS 140-2 by the National Institute of Standards and Technology (NIST). Be absolutely sure you key management vendor has completed this validation. Secondly, your key manager should support the KMIP protocol. Finally, if you are taking credit cards for payments, look for a PCI validation. We validated our Alliance Key Manager with both Coalfire and VMware, as a joint project. This helps our customers easily get through an audit, which can be quite difficult.

While I have you, I was hoping you could also offer some clarification on the term KMS. For example, VMware defines KMS as a Key Management Server. Amazon defines their KMS as a “Key Management Service.” How should our readers be thinking about a KMS in regards to VMware encryption?

Ah, the chaos of three letter acronyms. KMS, in general terms, means Key Management Server. It is a broad term covering key management devices that manage the entire lifecycle of a key - from creation to destruction. You are right, Amazon does call their key management service KMS, which can lead to some confusion. This service is NOT to be confused with a key management server - and does not give you full control over the entire key lifecycle. It is a shared administrative environment where you share access to the keys with Amazon.

You need to approach cloud service provider (CSP) implementations of key management services with trepidation. It is important for YOU to hold exclusive access to your keys and that only you have the only administrative control. Cloud lockin can be another concern as well.

To hear this conversation in its entirety, download our podcast Don’t Let Your Application or Database Limit Your Encryption Strategy and hear Patrick Townsend further discuss Encrypting applications and databases that don't natively support encryption, encryption performance, and other fundamental features of an enterprise grade key manager.

[Podcast] Don't Let Your Application or Database Limit Your Encryption Strategy

Topics: Encryption Key Management, VMware, vSphere, vSAN

Are Encryption and Key Management Critical to Blockchain and DLT?

Posted by Patrick Townsend on Sep 16, 2019, 6:51:24 AM

As blockchain technologies make their way towards general acceptance in private and public sector IT systems, the critical issues of governance, risk management and compliance come into play - and blockchain teams are maturing to address these areas. One important gap to fill involves the proper protection of sensitive data in a blockchain deployment. It seems odd to discuss data protection in the context of blockchain. Isn’t blockchain based on cryptography? Yes, it is, but there remains a gap in the area of data protection. Let’s delve into this in more detail.

What Data Needs to be Encrypted in the Blockchain Ledger?Blockchain’s innovative way of linking transactions and guaranteeing their immutability in a distributed ledger is based on well known and respected cryptographic algorithms and processes. The ability to extend this level of assurance across a large number of widely distributed nodes is clearly an amazing extension of modern computing. While there have been security lapses in public blockchain implementations, these have generally been related to improperly securing credentials and mistakes in implementing chaincode. Blockchain methodologies are standing up well to external attacks.

One important aspect of blockchain is its transparency. That is, everyone has perfect visibility into the transactions on a ledger and their current validity. This transparency is a core feature of blockchain - and that leads to a problem:

Some data that we want to put on the blockchain is sensitive, and we may not want to expose it to others.

There are lots of reasons why we might not want some information on the blockchain ledger to be transparent:

  • An organization’s reputation suffers when they lose or expose sensitive information. This is true for both public and private organizations and a significant loss of reputation is difficult to mitigate.
  • Even little bits of data in blockchain transactions needs to be protected. When sensitive data in a blockchain ledger are aggregated, it can indicate the direction of a business’s activity and leak important information about strategic developments to it competitors.
  • Compliance regulations prevent storing sensitive personal information in the clear. The PCI Data Security Standard mandates that credit card (Primary Account Numbers) be encrypted. The New York Department of Financial Services (23 NYCRR 500) requires the encryption of certain sensitive information. The EU General Data Protection Regulation (GDPR) mandates the protection of sensitive information of “Data Subjects”. here are other regulations that require or recommend protection of sensitive data.
  • Digital assets that represent intellectual property need to be protected from cybercriminals and state actors. The loss of key intellectual property can be devastating to a startup or mature enterprise.

Therefore, it is critical for organizations to design proper data privacy into blockchain projects from the very beginning. It is painful and potentially impossible to fix data privacy gaffs after the fact.

Blockchain SecuritySome blockchain advocates suggest that the solution to this conundrum is to not place sensitive information on the blockchain at all. But this is an impossible goal. Data on a blockchain may not specifically identify an individual, but may contain enough information that it can be combined with previously leaked information to form a full picture of an individual. Remember that hackers are really good at data aggregation. Losing a little sensitive information can lead to an embarrassing loss of a lot of information.

Other blockchain advocates suggest that the answer to this problem is to store sensitive data off of the blockchain altogether. But does this really solve any problem? This approach loses the many advantages of blockchain technology, and doesn’t do anything to solve the data protection puzzle. “Out of sight, out of mind” is not a solution to any problem.

Some blockchain implementations attempt to achieve privacy through “add on” features. Hyperledger channels and collections are two examples of this. These facilities use access controls to attempt to achieve this. As good as these facilities are, access controls will not address the data protection requirements of compliance regulations, nor provide other protections that encryption provides.

For all of the reasons we encrypt sensitive data in traditional databases, we need to encrypt sensitive data on a blockchain. This doesn’t mean that we have to encrypt everything that we put on the blockchain ledger, but it means we have to have the same intelligence in regard to sensitive data on blockchains that we have in the most secure systems today.

Fortunately, we can accomplish data protection on blockchains and maintain their usefulness. In fact, not only CAN we accomplish this, we MUST accomplish this in order to preserve the usefulness of blockchain technology.

If we are going to encrypt data that we put on a blockchain, we have to address a few requirements that are specific to blockchains:

  • We have to use industry standard encryption algorithms, such as AES, to meet compliance regulations.
  • We have to manage encryption keys using industry standards and best practices. This means storing encryption keys away from the blockchain ledger and doing so in a provably standard and secure way.
  • We have to make encryption keys available to the users and smart contracts that need them. This is a challenge in a distributed blockchain environment.
  • We must authenticate user’s authority to use encryption keys.
  • We must have a mechanism for restricting access to encryption keys, and for granting and revoking access to those keys.
  • We know how to accomplish these tasks in a traditional, centralized IT system. Years of work have produced standardized approaches to encryption. But blockchain presents real challenges to meeting these challenges.

Fortunately, innovation in the area of protecting data on a blockchain ledger is advancing.

At BlockNKey we built a key orchestration system architected from the ground up for distributed ledger technology. NIST compliant encryption and key management, a key vault, and key access control are built into each registered blockchain node. Cryptographic keys grant permission to whomever is permitted access to the data, how it’s accessed and when it’s accessible. This enables multi-party access to the appropriate data in real time through verified and validated access points. BlockNKey is compatible with public and private blockchains while enabling proper data security with easy to use REST APIs. It will even help you if you are storing sensitive data “off chain”.

Townsend Security has partnered with BlockNKey to bring an encryption and key management solution to blockchain users. More information here.

What Data Needs to be Encrypted in the Blockchain Ledger?

Topics: Blockchain

2019 Encryption Key Management Survey Results

Posted by Ken Mafli on Sep 11, 2019, 9:56:26 AM

Recently, we here at Townsend Security had the opportunity to poll the fans of our Newsletter to see how folks are doing with encryption and key management for their data-at-rest. We conduct this survey, and surveys like it, so that the larger InfoSec community can get a snapshot of how businesses, in general, are doing in securing their sensitive data. Below are a few key findings, hope you enjoy!

 

Overall Results

Using Encryption

First, the good news: 73% of respondents report that they encrypt their sensitive data while at-rest. This makes sense as all the respondents are fans of our Newsletter; the group is a little self-selecting in that they have already expressed an interest in data security. Of course, we would like to see the number at 100%, but that would mean our work is already done—and we know we still have a long way to go.

To give a bit of perspective, we conducted two additional surveys that represent a more general audience that we published, here and here. In those two surveys the adoption rate for encryption is closer to 50%. So, hats off to our fans for being above the curve!

Using Key Management

Now, the bad news: Only 50% of respondents say that they use proper key management to secure their encrypted data-at-rest (again, a little self-selecting in that, as part of the reason they like our Newsletter is that they are learning more about key management). Interestingly, even if you adjust the data to only look at those who replied that they do use encryption, the number only jumps to 66%.

As a comparison with the wider community, only about 30% of respondents in our other two polls (referenced above) said that they use encryption key management to securely manage their keys.

Expert Weigh-In: Patrick Townsend, CEO of Townsend Security
"Encryption is not enough. In order for encryption to be secure, the keys must be properly managed—100% of the time. If you don’t properly manage your encryption keys, it is like placing your house keys under your welcome mat. Every good thief knows to look in the obvious places for easy entry. Hackers do as well."

 

Encryption and Key Management Use, per Database/Blob Storage

Using Encryption per Database

It is no surprise to see that, overall, if a database/blob storage reports a rise/fall in the use of encryption, there is also a corresponding rise/fall in the use of proper key management. What is interesting, however, is the databases/blob storage where the respondents reported the widest gap in adoption of key management in comparison to the adoption of encryption. Here are the top five databases and their corresponding adoption gaps:

Database Gap in Encryption to Key Management Adoption
SharePoint: 40%
SAP: 28%
SQL Server Enterprise Edition: 26%
MySQL, SQLite, PostgreSQL, etc: 26%
MongoDB: 24%

 

Encryption & Key Management for SQL Server - Definitive GuideWhat may or may not be surprising is that SharePoint leads the pack in lack of key management adoption (compared to encryption adoption) and SQL Server Enterprise Edition comes in third. SharePoint is built on top of Microsoft SQL Server as its datastore (for structured data, at least). For SQL Server 2008 Enterprise edition and up, you now have the ability to not only take advantage of SQL Server’s Transparent Data Encryption (in SharePoint and SQL Server), but you also can leverage the power of a third-party encryption key manager using Extensible Key Management (EKM). This means it is incredibly easy to not only deploy encryption but also proper manage the encryption keys.

What is less surprising is the other three that made the top of the list. All these come with free editions that do not come with encryption libraries, let alone the ability to properly manage the keys. So anyone spinning up a free version of these databases will, by their very nature, not be able to secure their data.

Expert Weigh-In: Tim Roncevich, Partner at CyberGuard Compliance
"Many Enterprise editions of databases come with robust AES encryption and a way for a third-party vendor to manage the encryption keys. If you are storing sensitive data in an open-source, or free, version of a database, upgrade today. Hacks similar to the Cathay Pacific breach of 2018 were due to the company not upgrading to the Enterprise edition to take advantage of the encryption and key management that were available to them."

 

What Virtualization Do You Use?

Virtualization Used

About three-quarters of respondents said that they use VMware in their environment. The other quarter reported using Hyper-V, Red Hat Virtualization, Citrix Hypervisor, or KVM. Less than 10% said they used multiple virtualization platforms.

This is great news for the majority of businesses, then, in terms of encryption and key management. VMware’s vSphere 6.5 and up come with encryption ready to use. Not only that, but using a third-party encryption key manager is easy to set up and deploy.

Expert Weigh-In: Sharon Kleinerman, Director of Sales at Townsend Security
"For those organizations struggling to secure their data-at-rest with encryption and key management, doing so has never been easier. If you have VMware 6.5 and above, you simply set up your third-party key manager through vSphere’s KMS Cluster KMIP interface, tell vSphere which VMs you want encrypted, and your data is encrypted. Same with vSAN. It really is easy to encrypt with VMware as your virtual environment."

 

Backup & Recovery Solutions

Backup and Recovery Used

Backup and recovery solutions are an integral part of business continuity. In fact, Allied Market Research estimates that the market will grow by almost 25% year over year through 2023. In the next few years, however, Gartner estimates that 50% of companies will augment or replace their current backup solution with another.

Our findings fall roughly in line with Gartner’s research. According to our survey, about 40% of respondents say they will, or don’t know if they will, replace their current backup and recovery solution.

Expert Weigh-In: Steve Brown, Partner at Rutter Networking Technologies
"For those thinking of switching your B&R solution, it is important to make sure that the solution you are switching to provides encryption and a way to manage your encryption keys. Encryption should not be an afterthought. Instead, it should be one of the main drivers as to why you would either stay with your current solution or look farther afield."

 

Conclusion

The rate at which data breaches are happening is not slowing down. We all know this. But the adoption rate of best practices is still lagging. While it is heartening to see our blog’s fanbase beating the overall average for using encryption and key management to secure sensitive data-at-rest, We still have a long way to go.

The good news, it is easier than ever to adopt best practices. If you are thinking about truly defending yourself with a defense-in-depth strategy, talk to us today.

 

Encryption

 

Topics: Encryption Key Management

VMware vSAN Encryption for Compliance

Posted by Patrick Townsend on Aug 30, 2019, 9:06:56 AM

Many VMware customers know that they can encrypt their virtual machines that are managed with vSphere and other VMware tools. VMware vSAN encryption can also provide important protections for data-at-rest in vSAN virtual disks. I wanted to share some thoughts I’ve received from our VMware customers and partners on some of the benefits of using vSAN storage with encryption enabled.

A Simple Way to Encrypt

Podcast: Protecting Data with vSphere & vSAN EncryptionWhen you have a large database, it can be inefficient to store the data in a directory or folder directly in your virtual machine. vSAN can be much easier to manage from an administrative and recovery point of view and your VMware applications can easily connect to the vSAN volume. vSAN is configured using the VMware tools you already know how to use and managing vSAN storage is easy.

Did you know that you can enable vSAN encryption to protect that database with sensitive data? You can enable vSAN encryption on existing virtual disks or on new virtual disks that you create. The process is simple and does not require any downtime for your application - and vSAN encryption enables the use of a KMIP compatible key manager like our Alliance Key Manager so that you stay lined up with industry standards and security best practices. It is an easy way to improve your overall security posture.

A Simple Way to Meet Compliance

Many of our VMware customers are struggling to implement encryption on their databases to meet compliance regulations and to protect the organization’s digital assets. Although encryption and key management have become much easier over the years, it can still seem like a daunting task. VMware vSAN encryption to the rescue! It is easy to implement with the tools you already have, and you can deploy an affordable key management solution such as our Alliance Key Manager to fully meet compliance requirements and security best practices. You configure key management directly through the KMS Cluster facility in vSphere, and then activate vSAN encryption. Alliance Key Manager does not impose any limits on the number of virtual disks you protect, nor on the number of nodes that connect to the key manager.

A Simple Way to Save Money

Some databases, such as Oracle and Microsoft SQL Server, require expensive license upgrades to enable encryption capabilities. This cost can be out of reach for many small to medium size organizations. Using vSAN encryption is an affordable way to achieve a better security posture using the tools and the IT professionals you already have.

You might be wondering if VMware supports the deployment of these databases on vSAN volumes. The answer is absolutely YES! You will find substantial documentation from VMware on doing exactly this. The documentation includes reference architectures and analysis of performance impacts. You can confidently move forward with vSAN encryption knowing that VMware has invested time and effort to make sure you are successful.

Lastly, we know that some VMware users have deployed the free version of vSphere. There are some costs associated with upgrading to the paid tier of vSphere in order to get the ability to encrypt VMs and vSAN. If this is where you are today, talk to us about how we can help with the uplift to the next level of vSphere capability.

Resources:
vSAN Documentation
Oracle Database on VMware vSAN Solution Overview
Architecting Microsoft SQL Server on VMware vSphere
Pointers to our AKM for vSphere/vSAN Solution Brief 

New call-to-action

Topics: Compliance, VMware, Enryption, vSAN

MongoDB World 2019 Encryption Survey

Posted by Ken Mafli on Aug 8, 2019, 8:42:34 AM

This June we had a chance to participate in MongoDB World 2019 in New York City as an exhibitor. It was a great time as MongoDB professionals from around the world attended. We had an opportunity to ask them about their company's encryption and key management practices. Below are the results as well as some expert weigh-in on the findings. Enjoy!

 

MongoDB-Survey-2019

 

If you are looking to protect your encryption keys for your sensitive data in MongoDB, you need a FIPS 140-2 compliant centralized key manager that:

  • Never charges you additional fees for connecting a new end-point.
  • Never limits the number of end-points based on the model of the KMS.
  • Never limits the number of encryption keys generated or stored.
  • Never forces you to pay extra fees for software patches.
  • Never forces you to pay extra fees for routine software upgrades.
  • Always gives you unmatched customer service.
  • Always protects your keys, 24/7.

You need Alliance Key Manager for MongoDB.

Encryption and key management for MongoDB

 

Topics: MongoDB Encryption, MongoDB Encryption Key Management, MongoDB

Case Study: Indus Systems

Posted by Luke Probasco on Jul 16, 2019, 8:13:57 AM

indus-LogoIT Solution Provider Helps Customer Protect vSphere and vSAN Encryption Keys with Alliance Key Manager for VMWare

 


“As our customers face new and evolving compliance regulations that require them to encrypt private data, we needed a partner that could provide easy and affordable encryption key management for VMware.

- Kushal Sukhija, Technical Director

 
Indus Systems
Indus Case StudyAs processes are becoming more complex, competitive and demanding, businesses are constantly exploring new ways to deploy effective solutions. Indus Systems (www.indussystem.com), over the years, has synchronized their team to offer best-of-breed solutions from leading technology partners, coupled with their Professional Services to help customers to protect their Information Technology investment, reduce costs and grow business. Their IT Solutions increase people efficiency, reduce infrastructure footprint, which acts as catalyst towards quantum business growth. Indus Systems thrives to be a hand-holding partner in their customers’ journey.
With over 15 years of experience and 300+ happy clients, Indus Systems offers solutions in:
  • Business Continuity
  • Core Infrastructure
  • Network & Security
  • Mobility
  • User Devices
  • Professional Services 

 

The Challenge: vSphere / vSAN Encryption Key Management

Based in India, Indus Systems is increasingly finding their financial customers concerned with meeting the Securities and Exchange Board of India (SEBI) requirements for protecting private information. According to the SEBI framework, which came into force on April 1, 2019, “Critical data must be identified and encrypted in motion and at rest by using strong encryption methods.”

JM FinancialWith SEBI’s new cyber security framework, JM Financial Asset Management Ltd turned to Indus Systems for guidance on how to better protect their data. JM Financial Asset Management Ltd, an Indus Systems customer of 10 years, were due for a technology refresh. As part of the project, the company would rely heavily on VMware and protecting private data with vSphere and vSAN encryption.

Knowing that for encryption to be truly effective it needs to be coupled with encryption key management, Indus Systems and JM Financial Asset Management Ltd visited VMware’s Solution Exchange in search of a VMware Ready key management solution.

The Solution

Alliance Key Manager for VMware

“After visiting VMware’s Solution Exchange and finding Townsend Security’s Alliance Key Manager as a VMware Ready solution that had been certified by VMware for use with vSphere and vSAN encryption, we knew that we could easily help customers like JM Financial Asset Management Ltd meet SEBI’s encryption requirements,” said Kushal Sukhija, Technical Director, Indus Systems.

With Alliance Key Manager for VMware, organizations can centrally manage their encryption keys with an affordable FIPS 140-2 compliant encryption key manager. Further, they can use native vSphere and vSAN encryption - agentless - to protect VMware images and digital assets at no additional cost. VMware customers can deploy multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability.

“Alliance Key Manager proved to be an affordable and easy to deploy solution that we will be able to offer our customers beyond JM Financial Asset Management Ltd,” continued Sukhija. “Further, as part of our due diligence, we started
a Proof of Concept (POC) with another key management vendor as well. After getting halfway through the project, we could quickly see that their solution was getting complicated and expensive - something that we could not recommend and deploy for our customers.”

By deploying Alliance Key Manager for VMware, Indus Systems was able to meet their organization’s and client’s needs to protect private data at rest in VMware.

Integration with VMware

“VMware’s native vSphere and vSAN encryption make it easy to protect VMware images and digital assets. With Townsend Security’s Alliance Key Manager, we were able to protect our data with no additional agents or additional costs as JM Financial Asset Management Ltd scales their IT infrastructure,” said Sukhija. With a low total cost of ownership, Alliance Key Manager customers can leverage the built-in encryption engine in VMware enterprise, with no limits imposed to the number of servers or data that can be protected.

By achieving VMware Ready status with Alliance Key Manager, Townsend Security has been able to work with VMware to bring affordable encryption key management to VMware customers and the many databases and applications they run in VMware Enterprise. VMware Ready status signifies to customers that Alliance Key Manager for VMware can be deployed in production environments with confidence and can speed time to value within customer environments.

Indus Case Study

 



Topics: Alliance Key Manager, Case Study

VMWare and Encryption Key Management Failover

Posted by Patrick Townsend on Jun 26, 2019, 12:38:09 PM

Encryption and Key Management for VMware - Definitive GuideOne of the easiest ways to implement encryption controls in your VMware infrastructure is to activate vSphere and vSAN encryption. With vSphere encryption you can insure that all VM images are encrypted at rest, and with vSAN encryption you can set up virtual disks that are fully encrypted protecting any files that you place there. vSphere encryption was implemented in version 6.5, and vSAN encryption was implemented in version 6.6. All subsequent versions of vSphere and vSAN include these capabilities. (Note that you must be on the Enterprise or Platinum edition).

In both vSphere and vSAN the key manager is integrated using the open standard Key Management Interoperability Protocol, or KMIP. This means that any key management solution that supports the necessary KMIP interface can work as a vSphere or vSAN key manager. Our Alliance Key Manager solution implements this support, and is already in use by our VMware customers. 

The most common question we get about these new encryption features is: How do I manage failover for the key managers?

This is a great question as VMware is a part of your critical infrastructure, and key management has to work with your high availability strategy. There are two parts to this question and lets dig into both of them:

Defining Key Managers to vSphere KMS Cluster

Key managers are defined to vSphere using the option to configure the KMS Cluster. A KMS Cluster configuration allows you to define more than one key manager. So you have a readily available path for failover. The first key manager configuration is the primary key manager, and all subsequent key managers in the KMS Cluster are failover key managers. vSphere will always use the first key manager you define and treat it as the primary. 

In the event vSphere cannot connect to the primary key manager, it will try to connect to the second key manager in the KMS Cluster configuration. If that one fails it will try the third one, and so forth. The failover order is the order in which you define key managers in the KMS Cluster, so you should keep that in mind as you define the key managers.

While vSphere allows you to create multiple KMS Cluster definitions, very few VMware customers need multiple definitions. Just put your key manager definitions in a single KMS Cluster and you are set to go. 

If you have failover clusters for VMware, be sure to define the KMS Cluster for the failover environment, too!

Implementing Key Mirroring in Alliance Key Manager

Now that you have failover key managers defined to the KMS Cluster, you need to activate key mirroring between the primary key manager and each failover key manager. This is really easy to do, and you don’t need any third party products to implement key mirroring with Alliance Key Manager. Real time, active-active key mirroring is built right into the solution. You can SSH into the key manager, provide credentials, and then take the menu option to set up the primary or secondary key server. Answer a few questions and you will have key mirroring enabled between two or more Alliance Key Manager servers.

Our Alliance Key Manager solution implements full support for vSphere and vSAN encryption key management and has everything you need to get started. Adding encryption to your VMware environment is easy. VMware did a great job with this implementation of key management support and you can easily realize the benefits of protecting VMware infrastructure.

Alliance Key Manager documentation for vSphere can be found here.

You can download Alliance Key Manager and get started right away. Here is where to go to start the process.

Townsend Security will help you get started with vSphere and vSAN encryption. There is no charge for the evaluation or evaluation licenses and you will get access to the Townsend Security support team to ensure you have a successful project.

Patrick

New call-to-action

Topics: Alliance Key Manager, VMware

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all