+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Luke Probasco

Recent Posts

Press Release: Townsend Security Announces True Usage-Based  Licensing for VMware Cloud Providers & MSPs

Posted by Luke Probasco on Jun 17, 2020 10:00:00 AM

With simplified usage-based licensing with no upfront fees, no annual minimums, and built-in support, VMware Cloud Providers and MSPs can offer customers better security with encryption and key management at a lower cost.

Press Release

Townsend Security today announced new flexible licensing of Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS) to VMware Cloud Providers and MSPs. The new program allows these businesses to offer better security with encryption and VMware-certified key management at a lower cost, while maintaining their current pay-per-use and pay-as-you-go business model.

VMware Cloud Providers and MSPs need to help their customers achieve encryption of VMs and vSAN storage to meet compliance requirements and new regulations like GDPR and CCPA. However, typical commercial KMS solutions are expensive, hard to maintain, and have complex licensing requirements. Legacy KMS systems create a business problem for VMware partners who are trying to grow their business, compete with large Cloud Service Providers (CSPs), and don’t match the VMware partner’s business model. Townsend Security has addressed all of these obstacles with their new program for VMware Cloud Providers and MSPs.

The new program offered by Townsend Security allows VMware Cloud Providers and MSPs the ability to encrypt VMs and vSAN with FIPS 140-2 and KMIP compliant Alliance Key Manager. The solution is easy to install, configure, and deploy. Once deployed it requires no routine maintenance and partners have total flexibility in how and where they deploy the KMS system to help their customers. Crucially, the  new Townsend Security program will match the VMware Cloud Provider’s business model eliminating KMS licensing headaches, unmanageable reporting requirements, and unreliable KMS high availability implementations.

“Many VMware Cloud Providers and MSPs provide usage-based deployments for their end customers. Alliance Key Manager fits seamlessly into their business strategy to match the way they do business,” said Patrick Townsend, Founder & CEO of Townsend Security. “With Alliance Key Manager, you will never have up-front fees, annual minimums, complex software maintenance contracts, or restrictions on how you do business. Our partners are empowered to grow their business without concerns about how to allocate KMS costs. Predictable SaaS usage-based pricing makes it easy to sell, implement, and support end customers and their security needs - and an additional benefit is the incremental revenue and positive impact on margins.”

Once enrolled in Townsend Security’s new VMware Cloud Provider and MSP program, the company will assign training and support resources to help partners get started. There is no charge for training and Townsend Security’s technical support team is available for 24/7 business interruption support. 

Visit www.townsendsecurity.com/msp to learn more about Townsend Security’s new VMware Cloud Provider and MSP partner program.

Encryption Key Management for VMware Cloud Providers

Topics: VMware, Press Release

Encryption and Key Management for VMware Hosting Providers and MSPs

Posted by Luke Probasco on Jun 12, 2020 9:40:30 AM

VMware has become the most trusted name in on-premise computing infrastructure. Because of its ease of use and administration, reliability and security, VMware is able to provide exceptional services to small and large organizations alike. As these organizations move to the cloud, VMware hosting partners and managed service providers (MSPs) are able to service this market by providing off-premise deployments of VMware and an extensive array of VMware management and administrative services. For more information on how VMware hosting providers can better secure customer data, check out our "Definitive Guide - Encryption Key Management for VMware Cloud Providers" page.

Delivering Secure VMware Hosting with Encryption & Key ManagementI recently sat down with Patrick Townsend, Founder and CEO of Townsend Security, to talk about how Townsend Security is helping VMware hosting providers meet the challenge of encryption and encryption key management, while supporting the usage-based business model core to many of these hosting providers.  Additionally, Patrick discussed VMware architecture, VMware security, delivering compelling hosting & services, and compliance, standards, and encryption.

Hi Patrick. In recent years VMware has embraced the movement to the cloud with key partnerships with leading cloud service providers. What is less well known is that VMware has spawned and supports a broad set of hosting providers that serve local and regional markets. These VMware hosting providers also provide the expertise and managed services that many large cloud providers do not.

There are a fair number of VMware hosting providers and MSPs now with their own hosted, or cloud, platforms who are running VMware full stack implementations for their customers. Customers now have many options for managing their VMware infrastructure on premise or at a VMware hosting provider data center.  Many of these customers maintain both on-premise and hosted environments to meet their customers’ business needs. The VMware ecosystem is growing and resilient, and an important part of the IT services landscape.

Security has got to be essential for these hosting providers and MSPs. What do you think they are doing well and where could they use a little help?

Well, security is a core focus of VMware applications, and the security features have had a lot of time to mature. For example, VMware now offers encryption in several of their products. However, the deployment of proper encryption relies on support from third party KMS vendors. Realizing the importance of key management, VMware adopted the Key Management Interoperability Protocol (KMIP) standard, which allows vendors like Townsend Security to provide key management solutions that allow businesses to store and manage their encryption keys through their entire lifecycle.

Townsend Security is proud to help VMware hosting providers and MSPs implement encryption and do it the right way that matches their business model.

So, let’s spend a minute and discuss delivering compelling hosting and services.

VMware hosting providers and MSPs are rapidly changing the way that VMware customers are managing their IT infrastructure. These VMware partners are filling a services and support gap left by typical, large cloud service providers. Hosted VMware infrastructure, Disaster Recovery as a Service (DRaaS), automated backup and recovery, and expertise on demand provide compelling value to VMware end customers. Amazingly, many of these VMware hosting partners are providing a far more affordable solution than large Cloud Service Providers. Townsend Security’s Alliance Key Manager is filling the KMS gap for VMware hosting providers and MSPs by providing an Enterprise KMS system that matches the way they do business. Gone are the complexities of sourcing, deploying, licensing and administering a KMS for the VMware environment. Townsend Security empowers the VMware hosting provider with on-premise and customer premise solutions for every VMware KMS need.

There are a few strategies that these hosting providers and MSPs can use to secure customer data in VMware environments.  For example, data can still reside on-premises or in the cloud and be encrypted in VMs or in vSAN, or even through Virtual Trusted Platform Module (vTPM).  First, let’s cover On-Prem and the Cloud. 

Sure. Many VMware hosting providers and MSPs often are the experts who manage a customer’s on-premise VMware infrastructure. If you don’t have in-house expertise these partners can step up to help you. This means that the same security tools that are used at the hosting site need to be available at the customer site. This is a core part of the value that a VMware hosting provider and MSP provides to their customers - run VMware on-premise, on their cloud, or combine the two. Some VMware MSPs provide expertise and services to help their customers move to one of the larger cloud platforms. 

If you are a VMware hosting provider and you provide this type of service to help customers move to Microsoft Azure VMware Solution, Google VMware Cloud Engine, or IBM Cloud for VMware, or other full-stack VMware cloud service, we can help you with your KMS needs in the same way. 

Let’s circle back to how data is being encrypted in VMware

As a VMware hosting provider or MSP, you are able to quickly and easily deploy encryption of VMs for your customers with vSphere encryption. It is important to not forget about also deploying a KMS. The second most popular encryption option in a VMware environment is the encryption of vSAN virtual directories. The VMware architecture for key management for vSAN is the same vSphere KMS cluster configuration used for encrypting VMs. Encryption of vSAN storage is one of the great ways to protect databases in the VMware infrastructure. It can be expensive to upgrade Oracle, SQL Server or MongoDB to get encryption support, but you can easily provide encryption at rest by deploying these databases on encrypted vSAN storage at a fraction of the cost of an upgrade. And you can do encryption at rest for open source databases that do not directly implement encryption or proper key management. This includes MariaDB, PostgreSQL, SQLite and others.

Another option is to use OS encryption through the virtual trusted platform module (vTPM), right?

The Trusted Platform Module (TPM) chip is implemented on many Intel architecture servers and provides an additional level of encryption key protection in traditional server environments. Unfortunately, the TPM architecture works poorly in a VMware environment where workloads can move and migrate between servers. Thankfully, VMware came to the rescue with Virtual TPM (vTPM)!  By installing the appropriate vTPM drivers from VMware you can achieve TPM security that works natively with your VMware platform. vTPM also leverages the same vSphere KMS interface, so encryption and proper key management are easy to deploy.

How is Townsend Security helping VMware hosting providers and MSPs with encryption and key management? 

Townsend Security has been a VMware partner for many years.  Our KMS, Alliance Key Manager, is certified by VMware on all releases of vSphere and vSAN that support encryption. At Townsend Security we have worked hard to create a hosting provider/MSP program that takes the pain out of a KMS partnership. Most notably, if you provide VMware hosting services on a usage-based model, we will help you deliver a KMS for encrypted VMs and vSAN with the same model. For example, if you are charging your customers per virtual machine or per main memory, depending on how much you use, we will snap right in to your environment and help you deliver encryption of VMs and vSAN in the same way.We do this with no upfront fees, no annual license charges or separate maintenance fees, we just make it really simple to deploy and use for the VMware hosting provider.

Is there anything else that you would like to share about your partner program?

First, it is very easy and simple to get started with our partner program.  Just visit www.townsendsecurity.com/msp. If you are interested in more information, there is a short form to fill out. We make it extremely cost effective for hosting providers to deploy encryption and key management for their customers.  I’d also like to mention that our KMS is certified for every version of vSphere and vSAN that support encryption, is validated for PCI-DSS compliance, and has been through a FIPS 140-2 validation.

You can actually download Alliance Key Manager for VMware directly from our website and immediately load it into VMware.  We also have our support team ready to help you get deployed - without a charge. It just takes minutes. We are proud to have lowered the barrier to entry and administrative overhead typically associated with encryption key management - which makes it easier than ever for VMware hosting providers and MSPs to offer better security to their customers.

To hear this conversation in its entirety, download the podcast “Delivering Secure VMware Hosting with Encryption & Key Management” to hear Patrick Townsend, Founder and CEO, further discuss VMware architecture, VMware security, delivering compelling hosting & services, and compliance, standards, and encryption.

Delivering Secure VMware Hosting with Encryption & Key Management

Topics: Encryption Key Management, VMware, Hosting Providers

State of Encryption Key Management - 2020

Posted by Luke Probasco on Apr 20, 2020 8:05:12 AM

Data security compliance requirements and corporate security initiatives continue to drive the adoption of encryption and key management to protect private information - ranging from customer information to electronic protected health information (ePHI) to a company’s intellectual property (IP). Deploying encryption naturally means properly protecting encryption keys, which historically has been the biggest challenge that organizations face with their encryption strategy. As such, it is far too common to see businesses not properly storing their encryption keys - for example, keeping them in a database in the clear or even burned into their application’s code.

State of Encryption Key ManagementFortunately, encryption key management solutions are more affordable and easier than ever, however, not all solutions are created equal. Standards such as FIPS 140-2 remain, but what does that mean in a virtual environment? Additionally, we are seeing all the major cloud service providers (CSPs) offer encryption key management as a service, but there are several fundamental reasons enterprises are hesitant to adopt them.

I recently sat down with Patrick Townsend, Founder and CEO, to discuss the current state of encryption key management, databases/applications that natively provide encryption and key manager integrations, and questions to ask your key management vendor. 

Hi Patrick. Let’s just take a minute and acknowledge how far encryption key management has come.

It is incredible how far encryption key management has come over the last 15 years. As I think back to when we started this journey, it was a very different environment. One of the motivating factors for us to get in the key management game was that key management systems used to be terribly expensive and complex - and usually involved a team of expensive consultants to deploy. Early on, I even had a key management system (KMS) vendor tell me that they didn’t want to do a deal under $10 million - and that just isn’t going to work for smaller companies. This just really influenced how we got started. Companies of all sizes deserve to have good encryption and key management as part of their defense in depth security strategy. I am very proud of our team for creating a key management solution that has been FIPS 140-2 validated and affordable to the small and medium sized enterprises who need to protect their employees and customers without having to pay for every database, connection, or encryption key. We have now passed the 10 year mark with Alliance Key Manager. While it was first introduced as a physical hardware security module (HSM), we have added VMware and cloud platforms (AWS and Microsoft Azure) - and starting at $4,800 is affordable to every customer. I am proud that we have played a part in making encryption key management affordable to businesses of all sizes.

Speaking of cost, could you imagine if deployments were still $10 million?

It really is incredible. If that were still the cost, small and medium sized businesses would be priced out of the market - and their data a lot more vulnerable. With that said, it still amazes me how much KMS vendors are still charging for some of their solutions. Recently we had a prospective customer forward us a quote from another KMS vendor and it was astonishing. The customer was trying to protect 12 Microsoft SQL Server databases and the quote was for $194,000! And that was just the start. As the customer adds additional databases in their environment, there is going to be more and more cost as they go forward. For the same hardware-based HSM solution, we would charge $36,000 for two HSMs and save the customer $158,000! Alternatively, we even could offer VMware or cloud instances that would have been even less expensive.

As a company, we are passionate about keeping a low and predictable total cost of ownership (TCO). You shouldn’t have to go back to your key management vendor every time you want to add a database or encrypt something in a new environment. This model of pricing can add up very quickly. We offer a simple pricing structure - license the KMS, pay annual maintenance, and use the key manager to protect as much data as you’d like. From my point of view, there is no justification for a pricing strategy that penalizes businesses for doing more security.

Aside from cost and ease of deployment, there really has been a growing awareness on the importance of key management. 10 years ago when you first started, small and medium sized businesses didn’t even know what key management was.

Certainly. Key management is the cornerstone of an encryption strategy. If you are doing encryption, you must protect encryption keys. In fact, key management is starting to show up in regulatory compliance requirements. For example, if you look at the California Consumer Privacy Act (CCPA), you will find proper key management called out as being core to protecting data. If you are not using key management, you are NOT adequately protecting your encryption keys and you lose some of the protections under the CCPA.

As businesses deploy modern key management solutions, they need to make sure the key manager has been FIPS 140-2 validated and is key management interoperability protocol (KMIP) compliant. The industry as a whole is still catching up to these standards. For example, with AWS KMS or Azure Key Vault, businesses do not have industry standards based interfaces for key management. Rather than using the KMIP standard, they are requiring customers to use their proprietary interface. Standards, like KMIP, are incredibly important when it comes to reducing your cost of encryption in the long run. Fortunately, we are seeing most major database and application vendors adopting the KMIP standard and natively supporting encryption, leaving the key management to the user.

Also, it is still the wild west out there in regards to some KMS vendors. I think people should avoid solutions that require external, third party hardware modules to back up the key manager. That is completely unnecessary. There are open source solutions that provide vaults that are not FIPS 140-2 compliant unless they are backed up by an HSM.

Again, key management is core to a security strategy and really has come a long way since the early days. It now takes a few minutes to get a KMS up and running, you don’t need outside consultants or someone to come on site, and most of the time doesn’t take any paid services!

You mentioned KMIP. It has been great to see more databases and applications adopt the standard.

That’s right. Encryption usually doesn’t require application changes anymore - it has become a non-technical exercise. KMIP has fundamentally changed the way businesses deploy encryption and key management. For example, we have seen databases like MongoDB and MySQL and VMware’s vSphere and vSAN support KMIP. Let’s take a look at MongoDB. MongoDB Enterprise includes 256-bit AES encryption built into the database. Knowing the importance of key management, they built in support for KMS vendors with the KMIP standard. Now their users can seamlessly encrypt data and easily manage the encryption keys separate from the data that they protect.

KMIP really has been a game changer for the key management industry and really underscores the importance of basing solutions on industry standards. Unfortunately, it isn’t everywhere - yet. Typically, KMIP is reserved for Enterprise versions of databases. With that said, there are still options for shops running “Standard” or “Community” versions.

There are. Chances are that these shops are running a version of VMware that supports vSphere and vSAN encryption. By deploying “Standard” versions of databases directly in vSAN, they can utilize the encryption and key management options already included in their VMware products. Furthermore, VMware has developed excellent guidance that is available on their website on how to install databases into an encrypted vSAN. If you are an Oracle customer, for example, and feel like you can’t afford the expense of upgrading to Oracle Enterprise with Advanced Security in order to get encryption, VMware has your back. By doing this, businesses can affordably meet regulatory compliance and protect their sensitive data. Same is true for other databases.

Let’s keep talking about compliance. Compliance has been a major driving force for organizations adopting encryption key management.

Yes. Businesses of all sizes and industries fall under a variety of compliance regulations. If you take credit cards, you fall under PCI DSS. If you are a covered entity in the medical segment you fall under HIPAA. California recently passed the California Consumer Privacy Act (CCPA) which has reach far beyond the borders of California. It is important to note that CCPA also requires proper key management. Storing encryption keys next to the secured data provides you no protection from data breach notification and class action lawsuits. You have to get key management right. 

Regulations certainly are one major factor driving the uptake in encryption. Over time, we have seen regulations evolve and encryption keeps getting more embedded in these regulations and is recognized as a core part of a defense in depth strategy. With that said, compliance isn’t the only reason a company deploys encryption and key management. We regularly talk with customers concerned with reputation, protection of intellectual property (IP), or a host of other reasons.

For businesses who haven’t deployed encryption key management yet, what are some questions that they should ask vendors?

There are definitely some baseline qualifiers here. Look for a FIPS 140-2 validation. Has the solution ever been validated by the National Institute of Standard and Technology (NIST)? Some key management vendors out there will say they are compliant and unable to prove it because they have never received a formal validation. It is important to ask for their certificate number. Don’t accept a third-party letter saying that the solution is compliant. There is no substitute for a NIST validation. They aren’t cheap or easy, which is a major differentiator between the good and not-so-good key management vendors.

As discussed earlier, good key management systems will adopt the KMIP interface. You should easily be able to use your key management solution seamlessly with the growing number of databases and applications that support KMIP.

Who has administrative access to the keys? Do you have exclusive control or is access shared with a cloud service provider (CSP) or key management vendor? Most of the CSP key management offerings are in shared environments - both you and your CSP have access to your keys. Also a consideration, are you OK with CSP lock-in? Most businesses today are trying to achieve a cloud-neutral implementation and you don’t want your key management solution to defeat that effort.

I think that these are the topics that should be top of mind for businesses as they move through their cloud encryption strategy and think about key management.

Is there anything that you would like to share about Townsend Security’s Alliance Key Manager that you haven’t mentioned yet?

Alliance Key Manager comes along with a wide variety of client applications and SDKs - at no charge - to help you secure databases and applications like VMware, Microsoft SQL Server, MongoDB, MySQL and others. As I mentioned earlier, it is cost effective and affordable to organizations of all sizes. I think that our key manager is the most cost-effective, standards-based solution in the market. By offering the key manager on multiple platforms, which are all cross-compatible, businesses have a variety of options for their encryption strategy that are easy to deploy.

The last thing that I would like to point out is that our solution is very partner friendly. Alliance Key Manager is embedded in many ISV environments and products. We have flexible programs that allow our partners to get encryption right by embedding key management into their solution.

To hear this conversation in its entirety, download the podcast “State of Encryption Key Management - 2020” to hear Patrick Townsend, Founder and CEO, further discuss the latest trends and perspectives around encryption key management and how to better protect your data.

Podcast: State of Encryption Key Management

Topics: Encryption Key Management

Townsend Security Extends Free NFR Licenses for Key Management Server (KMS) to Microsoft MVPs and AWS Heroes

Posted by Luke Probasco on Mar 18, 2020 2:00:00 AM

Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager, is now available free of charge to Microsoft MVPs and AWS Heroes.

Free NFR License for Encryption Key Management Server (KMS)

Townsend Security today announced that it is extending free Not for Resale (NFR) licenses to Microsoft MVPs and AWS Heroes for Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS). The NFR licenses are available for non-production use only, including educational, lab testing, evaluation, training, and demonstration purposes. NFR Licenses are available here.

Joining VMware vExperts in Townsend Security’s successful NFR program, Microsoft MVPs and AWS Heroes can protect databases, applications, and VMware images with a secure and compliant key management server (KMS). Additionally, the solution allows businesses to properly encrypt private data without modifying their business applications. Alliance Key Manager supports the OASIS Key Management Interoperability Protocol (KMIP) and Microsoft’s Extensible Key Management (EKM) found in SQL Server Enterprise 2008+ and SQL Server Standard 2019+. The solution is available as a VMware Virtual Machine or in the cloud (AWS, Microsoft Azure).

Additionally, Townsend Security provides Alliance Key Manager users with a wide range of ready-to-use security applications, SDKs, and sample code. With over 3,000 users worldwide, the solution is helping businesses achieve their security and efficiency goals in cloud and VMware environments.

“Protecting sensitive data continues to be a critical concern in IT, and an important part of both security and compliance efforts,” said Patrick Townsend, CEO of Townsend Security. “After launching with VMware vExperts, we are excited to extend the program to Microsoft MVPs and AWS Heroes. I believe they will be pleased to see how fast and easy encryption key management has become.”

Microsoft MVPs and AWS Heroes can request an NFR license of Alliance Key Manager here.

New call-to-action

Topics: Alliance Key Manager, Press Release

Townsend Security Provides NFR Licenses for Key Management Server (KMS) to VMware vExperts

Posted by Luke Probasco on Jan 7, 2020 12:00:00 AM

Alliance Key Manager, featuring full support for VMware encryption of VMs and vSAN, is now available free of charge to VMware vExperts.

Free NFR License for Encryption Key Management Server (KMS)Townsend Security today announced that it offers free Not for Resale (NFR) licenses to VMware vExperts for Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS). The NFR license keys are available for non-production use only, including educational, lab testing, evaluation, training, and demonstration purposes. NFR Licenses are available here.

Alliance Key Manager enables VMware customers to use native vSphere encryption for VMs and vSAN to protect VMware images and digital assets while deploying a secure and compliant key management server (KMS). VMware users can deploy multiple, redundant (HA) key servers as a part of the KMS Cluster configuration for maximum resilience and high availability. The key manager is certified by VMware for use with vSphere version 6.5 and later, and for vSAN version 6.6 and later. 

Using the advanced cryptographic permissions in VMware vCenter Server, along with a KMS, VMware users can prevent internal/external threats and protect sensitive workloads. In addition to supporting vSphere encryption of VMs and vSAN, Alliance Key Manager supports application and database encryption deployed in VMware virtual servers.

“We are excited to provide VMware vExperts with Alliance Key Manager, our encryption key management server (KMS) for their test labs,” said Patrick Townsend, CEO of Townsend Security. “Protecting sensitive data continues to be a critical concern in IT, and an important part of both security and compliance efforts. Data-at-rest encryption options in vSphere are comprehensive and very easy to use. Alliance Key Manager seamlessly integrates with VMware’s encryption capabilities.”

Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.   VMware vExperts can request an NFR license of Alliance Key Manager for VMware here.

New call-to-action

Topics: Alliance Key Manager, Press Release

Alliance Key Manager Now Available for IBM Cloud for VMware

Posted by Luke Probasco on Dec 18, 2019 11:15:00 AM

Alliance Key Manager for IBM Cloud for VMware provides encryption and key management to help IBM Cloud for VMware customers meet data privacy compliance regulations and security best practices.

Key Management for IBM Cloud for VMware PodcastTownsend Security today announced Alliance Key Manager, its affordable FIPS 140-2 compliant encryption key manager, is available for IBM Cloud for VMware. By running Alliance Key Manager for IBM Cloud for VMware, enterprises can encrypt VMs and vSAN virtual directories and protect private information in their applications and databases with a dedicated key manager - with no access to encryption keys by IBM.

Working with VMware and Coalfire, Townsend Security’s Alliance Key Manager achieved compliance with PCI-DSS when implemented on a standard VMware reference architecture. Support for the PCI-DSS standard has smoothed the path to compliance for VMware customers in IBM Cloud. Additionally, Alliance Key Manager for IBM Cloud for VMware can also help businesses meet other compliance regulations such as GDPR, CCPA, HIPAA, GLBA/FFIEC, FISMA, etc.

“Customers want to experience regulatory compliance out-of-the-box. They don’t want to have to engage in lengthy audits and security validations in order to deploy applications to the cloud. PCI-DSS is one of those key indicator regulations and our commitment to provide proven regulatory compliance is a great benefit to our VMware customers,” said Patrick Townsend, CEO of Townsend Security. “We take data security compliance issues off of the table and this really helps our customers. With this announcement we are extending formal support for our solutions to the IBM Cloud for VMware.”

As enterprises move to IBM Cloud they bring their sensitive data with them. With Alliance Key Manager for IBM Cloud for VMware, organizations can encrypt their VMs and vSAN storage that are managed by vSphere. Leveraging the KMIP interface in vSphere users can define one or more key managers to protect the encryption keys used to encrypt VMs and vSAN. Alliance Key Manager is certified by VMware for all versions of vSphere and vSAN that support encryption.

“Encrypting VMs and vSAN storage provides a rapid path to meeting security best practices and compliance regulations. There is no limit to the number of VMs or vSAN storage pools that you can protect,” continued Townsend. “I am proud of our team for creating a truly affordable solution for VMware key management. Small businesses should contact us for information about special small business pricing.”

Alliance Key Manager for IBM Cloud for VMware is available for a free 30-day evaluation.

Key Management for IBM Cloud for VMware Podcast

Topics: Press Release, Alliance Key Manager for IBM Cloud for VMware

SQL Server Standard Edition & Transparent Data Encryption (TDE)

Posted by Luke Probasco on Dec 17, 2019 8:16:00 AM

Like Microsoft SQL Server Enterprise Edition users, SQL Server 2019 Standard Edition users can now easily meet compliance regulations (PCI DSS, GDPR, CCPA, etc.) and protect private data like customer PII and intellectual property without modifying existing applications or the database.  By using the database’s Transparent Data Encryption (TDE) capability, coupled with Extensible Key Management (EKM), and an encryption key manager, organizations can protect their private data at a lower cost.

SQL Server Standard Edition & TDEI recently sat down with Patrick Townsend, Founder and CEO of Townsend Security to talk about TDE in Microsoft SQL Server 2019 Standard Edition and what it means for smaller businesses who don’t have Enterprise Edition, as well as deploying encryption key management in the cloud.

Patrick,  It was great to see Microsoft bring Transparent Data Encryption to the standard edition of SQL Server 2019.

We were pleased to see Microsoft announced that SQL Server 2019 Standard Edition would support Transparent Data Encryption (TDE) and Extensible Key Management (EKM).  By doing this, Microsoft was able to bring encryption and proper key management to a huge user base and not require them to make application changes, which can be a barrier for some companies.  TDE and EKM were originally introduced back in SQL Server 2008 Enterprise, so the technology itself has been around a while. There are a lot of users of the Standard Edition of SQL Server and by lowering the technical and financial bar to protecting private data, companies of all sizes can easily protect their private information - including customer information and IP.

As you mentioned, TDE and EKM are considered a pretty mature technology at this point.  You have had an EKM provider for Enterprise Edition for over 10 years, right?

Yes! Since the initial release of TDE and EKM in Microsoft SQL Server 2008, we have been proud to offer an affordable, industry leading solution - and now extend that to SQL Server Standard Edition users.  As far as platforms go, we started a decade ago with a hardware security module (HSM), though most of our customers are now running VMware environments or are in the cloud (AWS, Azure, IBM Cloud). Fortunately, because all of the platforms that we offer our key manager on run exactly the same software, we are able to maintain our FIPS 140-2 compliance.  We even have customers running hybrid deployments with key managers in the cloud and on-premises.

It is really easy to get started as well.  Deploying an enterprise encryption key management solution  used to take several months and lots of resources but can now be done relatively quickly.  Essentially, here is what you need to do:

  • Set up Alliance Key Manager (just takes a few minutes)
  • Install our EKM provider software on your instance of SQL Server
  • Configure SQL Server
  • Turn on TDE

That’s it!  It is a very straightforward deployment.

By using standards based encryption, Microsoft is positioning their customers for success.  But they still leave key management up to the customer.

Yes, and standards are just as important with key management as they are with encryption.  People often think that the encryption algorithm is the secret part of securing data and don’t realize the importance of key management.  Only YOU should have access to your encryption keys - and this goes for administration of the key manager as well. Enterprises need to look for a FIPS 140-2 validation and avoid multi-tenant solutions offered by CSPs.  On more than one occasion I have heard customers say that prior to using Alliance Key Manager they were storing their keys in an Excel spreadsheet, on a USB key, or even burnt in their application code. Not very secure locations, to say the least, and the keys were very likely not “cryptographically strong.” Encryption keys based on passwords will never meet minimum standards for strong encryption keys. Keys should be generated using a cryptographically secure random bit generator (CS-RBG) validated to international standards.

On the topic of Cloud Service Provider key management, while key management solutions offered by CSPs can provide some convenience, they leave an organization’s encryption keys accessible to third-party administrators - increasing the risk to their security posture.  Finally, bringing it back to SQL Server, remember, it is poor security practice to store encryption keys locally to the SQL Server database. It takes a hacker just a few seconds to recover those keys!

Let’s dive into this a little deeper, because I think there is a little confusion in the market. I attend Pass every year, and when people think about key management, they sometimes talk about using open source software or even storing their encryption keys in something like “Last Pass”.

People need to understand that an encryption key manager is more than just a secure key store.  A key manager like our Alliance Key Manager creates and manages encryption keys through their entire lifecycle.

I’d like to elaborate a little more on CSP-offered key managers like AWS KMS or Azure Key Vault, since I think many people are familiar with these offerings.  If you look at Information Supplement: PCI SSC Cloud Computing Guidelines, you’ll find them state: 

“Because compromise of a Provider could result in unauthorized access to multiple data stores, it is recommended that cryptographic keys used to encrypt/decrypt sensitive data be stored and managed independently from the cloud service where the data is located.”

This is a pretty common sense warning from the PCI Security Standards Council.  Consolidating services under one shared umbrella dramatically increases an organization’s risk.

True Key Management Systems (KMS) need to go where your data goes - on-premise, cloud, multi-cloud, or VMware.  Alliance Key Manager is a full enterprise key management system. The AWS KMS, for example, is a key storage facility and can’t leave the AWS cloud, which provides CSP lockin.

And when thinking about the security principles of Confidentiality and Availability, it just doesn’t make sense to use something other than a full-fledged key manager.

You’re right.  Again, with Confidentiality, you don’t want your CSP to have administrative access to your keys.  In terms of Availability what about high availability? What if you need to run applications that deal with private data in multiple clouds?  By using an enterprise level key manager, enterprises can rely on a centralized key manager to protect their data regardless of where it resides or will in the future.

Also, for those who are using older versions of SQL Server Standard Edition, you can use Netlib's Encryptionizer along with our Key Connection for Encryptionizer to transparently encrypt private data.

To hear this conversation in its entirety, download our podcast SQL Server Standard Edition & TDE to hear Patrick Townsend further discuss encrypting data in Microsoft SQL Server Standard 2019, encryption key management in the cloud, and the importance of data security standards.

SQL Server Standard Edition & TDE

Topics: SQL Server encryption

IRI FieldShield Supports Townsend Security’s Alliance Key Manager

Posted by Luke Probasco on Dec 12, 2019 12:00:00 AM

Multi-Source Data Masking Software Now Encrypts and Decrypts with Keys in Cloud, VMware, or HSM Platforms

FieldShield AKM SchematicInnovative Routines International (IRI), Inc., a leading provider of data masking software, and Townsend Security, a leading authority in data privacy solutions, have enabled IRI FieldShield to use encryption keys stored and managed in Townsend Security’s Alliance Key Manager servers. The integration gives DBAs and “data security governance” professional a robust, compliant way to encrypt or decrypt data at rest in many sources.

A multi-year rise of hacking incidents and privacy law violations has driven demand for data-centric security. “Masking data in FieldShield using AES encryption, and protecting those encryption keys with Alliance Key Manager can help mitigate the risk of data breaches, and protect an organization’s brand and reputation,” observed Patrick Townsend, Founder & CEO of Townsend Security. “This is especially relevant given laws like the California Consumer Privacy Act (CCPA), which contemplates encryption of sensitive data in order to avoid class action lawsuits,” he added.

FieldShield classifies, discovers, and masks personally identifiable information (PII) in relational and NoSQL databases, and a wide range of structured file formats on-premise or in the cloud. Multiple encryption functions -- including format-preserving encryption -- are among its 15 masking categories. FieldShield users can assign a unique passphrase to serve as an encryption key for one or more data classes (columns or fields). The keys allow the restoration of original values from ciphertext when used with the corresponding decryption function.

Alliance Key Manager provides the security of TLS-authenticated access to FieldShield passphrases stored in VMware, Microsoft Azure, Amazon Web Services, or a private or dedicated Hardware Security Module (HSM). This assures that only authorized users can access the key server and obtain the keys to decrypt.

FieldShield users can generate the keys using either the native command line or web interface to Alliance Key Manager. “Centralizing storage of FieldShield passphrases through Alliance Key Manager not only gives our users FIPS 140-2 compliant key security, but also a more convenient way to manage their encryption keys,” according to IRI developer Devon Kozenieski.

About IRI
Founded in 1978, IRI develops fast data management and data-centric security software through 40 cities worldwide. IRI’s proven data manipulation engine -- and its free Eclipse job design environment -- provide uniquely price-performant and versatile data lifecycle solution software for big data and BI/DW architects, data security and compliance teams, DBAs, and developers. Gartner recognizes IRI FieldShield, CellShield, DarkShield as static and dynamic masking solutions for structured, semi-structured, and unstructured data sources.

Topics: Alliance Key Manager, Press Release, IRI FieldShield

Seamless Encryption Key Management for Microsoft SQL Server 2019 Standard

Posted by Luke Probasco on Dec 11, 2019 12:00:00 AM

Alliance Key Manager supports Transparent Data Encryption (TDE) in Microsoft SQL Server 2019 Standard Edition. 

Encryption & Key Management for SQL Server - Definitive GuideTownsend Security today announced Alliance Key Manager, its affordable FIPS 140-2 compliant encryption key manager, supports Microsoft SQL Server 2019 Standard Edition.  Users of Microsoft SQL Server Standard Edition can now easily meet compliance (PCI DSS, GDPR, CCPA, etc.) and protect private data like customer PII and intellectual property without modifying existing applications or the database.  By using the database’s Transparent Data Encryption (TDE), coupled with Townsend Security’s Alliance Key Manager for SQL Server, organizations can protect their private data at a lower cost.

Alliance Key Manager, a FIPS 140-2 compliant encryption key management solution, allows enterprises to effectively encrypt data and meet security requirements in less time with a flexible, centralized offering. The solution provides full life-cycle management of encryption keys for a wide variety of applications, including Microsoft SQL Server Enterprise and Standard editions.

“We were pleased to see Microsoft announced that SQL Server 2019 Standard Edition would support TDE and EKM, bringing encryption and proper key management without application changes to their popular Standard Edition. By lowering the technical and financial bar to protecting private data, companies of all sizes can easily protect private information,” said Patrick Townsend, Founder and CEO of Townsend Security.  “Since the initial release of TDE and EKM in Microsoft SQL Server Enterprise ten years ago, we have been proud to offer an affordable, industry leading solution - and now extend that to SQL Server Standard users.”

Microsoft SQL Server users can deploy Alliance Key Manager as a hardware security module (HSM), VMware virtual machine, or in the cloud as a native AWS EC2 instance or Microsoft Azure virtual machine. Alliance Key Manager supports seamless migration and hybrid implementations, providing Enterprise’s with options for their high availability strategy. 

“By providing both on-premise and cloud solutions, Enterprise's can easily rely on a centralized key manager to protect their data regardless of where it resides or will in the future. Further, while key management solutions offered by CSPs provide convenience, they leave an organization’s encryption keys accessible to third-party administrators - increasing the risk to their security posture,” continued Townsend. “Our simplified licensing model that avoids charging by the number of endpoint databases and number of keys, makes the upgrade to SQL Server 2019 Standard Edition a no-brainer for many Microsoft users. Microsoft has really done well by its customers.”

Alliance Key Manager for SQL Server is available for a free 30-day evaluation.

Encryption

Topics: SQL Server, Press Release

Living on the Edge

Posted by Luke Probasco on Dec 9, 2019 8:02:59 AM

As the world of edge computing becomes more distributed, billions of connected devices live on the edge, which need to be secured, managed and automated. For many businesses, this means deploying a VMware and cloud infrastructure and using VMware vSphere, for example, to encrypt private information.  While it is easy enough to encrypt data on the edge, key management has proven to be a challenge.

Podcast: Living on the EdgeI recently sat down with Patrick Townsend, Founder and CEO of Townsend Security to talk about deployments on the edge, achieving a strong security posture with key management, and other ways that businesses can better secure their private data. 

Patrick, Townsend Security has had key management solutions for VMware for a number of years. What is special about Edge computing?

Well, Edge computing is fascinating.  It isn’t really that different from how we currently think about computing and data security in the cloud or on-premise. By moving applications closer to the end user, Edge computing brings a better, faster user experience to the end user.  So, if you are running an application in the cloud, perhaps in a retail or healthcare environment, the delay over the network can degrade the experience or inhibit the ability to collect a lot of data, for example, from IoT devices. Edge computing is a natural evolution of making things more efficient with a better user experience.  However, Edge computing also brings new security challenges too. If we are collecting data that is sensitive in nature, it is just as sensitive out on the Edge as it is in our data center.

So what is special or different about Edge computing from a security point of view?

There are a number of challenges.  How do we deploy applications in a secure way?  How do we do application patching? One of the most important security efforts that we make is to keep everything patched and up to date.  When you have Edge computing, there are a lot more environments in distant locations. The security process really becomes more complex when we move to Edge computing.  Those challenges can be solved, but they represent things that we really need to pay attention to.

At the same time, as we are pushing applications out to the Edge, compliance regulations are getting more stringent.  Just look at the California Consumer Privacy Act (CCPA) and GDPR before it. Both of those are making the protection of sensitive data much more important.  The risks of data loss to an organization are escalating, and at the same time, we are pushing data to more and more places - so we have a big security challenge that we need to step up to.

Protecting data data in a centralized IT data center is a challenge, but one that we are used to.  Edge computing brings unique problems with it. For example, let’s say you pushed some data out to a dozen Edge computing environments.  You’ll need to encrypt that data to meet compliance, but where is the key manager? Is it back at your central on-site data center? If so, you may have just lost the advantage of pushing everything to the Edge.  Encryption and key management also need to be pushed out to the Edge in order to meet security best practices, just as you would in on-premise environments.

In terms of the cloud, can you give some examples of Edge environments?

Sure.  In the Cloud, we try to deploy applications close to the end-customer which gives us better response times and a better customer experience.  So, in AWS or Azure, we can move applications closer to where the end-customer lives. CSPs are making this easier by automating some of the deployment tasks.  By pushing applications to the Edge, you get really close to the physical location of the customer. For example, if you live in Sweden, you don’t need to connect to a key manager that is sitting back in Silicon Valley.  You should connect to a key manager that is near you. When moving to the Edge, encryption and key management need to move with you.  

By the way, you may have noticed that VMware has been working much more closely with Cloud Service Providers to provide true VMware infrastructure on cloud platforms.  For example, on Azure, you can deploy a full bare metal stack - VMware in the cloud and managed the way you want. But again, when you push those VMware environments to the Edge, what about the encryption key management?  The good news is, that with our new Alliance Key Manager for Edge Computing, we can make that easy and affordable to accomplish.

How about some examples of non-Cloud Edge environments?

Almost all of us use VMware on premise, and it isn’t really all that different to what we are currently doing.  Think of a medium or large retail organization with hundreds or thousands of storefronts. When you walk into the store, there is a very good chance that there is a local VMware node out there that is running many applications.  Think about a large box store with retail, pharmacy, and automobile services. The VMware environment in a single store might support dozens or hundreds of specialized applications. How do you protect data in that environment? Sometimes when we think of Edge computing we think of “just” the cloud, but this isn’t the case.  Again, just like with the Cloud, it doesn’t need to be difficult to push encryption and key management to the Edge, it just needs to get done.

How do compliance requirements impact Edge computing?

Well, compliance requirements, which are getting stronger as we speak, make the challenge of Edge computing even more important to address.  If you think about it, when we have centralized IT processing, we have one environment to protect. It may be a very data rich environment with sensitive data that cybercriminals may want to steal - but it something that isn’t that difficult to protect.  What if we have 500 of those environments out there across on-prem and cloud locations? The attack surface has been dramatically increased. The data is still important and still a target, but now we have a lot more to deal with. I think people are waking up to the security challenge and need to focus just as much effort on securing data at the Edge as we do at the centralized, on-premise data center.  We have to deploy all of our security defenses at the Edge in the same way that we do with core IT systems. The data is the same.

How is Townsend Security trying to help resolve this challenge.

The barriers to getting Edge data protection right are only party technical.  Key management vendors have not adapted to the new reality of the Edge. The huge expense of traditional KMS solutions is the primary barrier to protecting data at the Edge.  For small businesses, they can even be completely priced out of the market around doing encryption and key management right. Large organizations have been priced out as well.  When there are hundreds or thousands of endpoints that need protected, vendors need to step up to help these businesses secure their data.  

At Townsend Security, we have two distinct advantages.  First, our Alliance Key Manager for Edge Computing solution is virtualized, automated, and VMware Ready.  For example, our key management solution has been certified by VMware for vSphere key management - to protect VMs and vSAN storage.  We are seeing many organizations deploy VMware at the Edge. Second, we have the ability to flexibly license and price our solutions for the Edge.  Enterprises can now deploy full VMware VM encryption and key management at Edge with an affordable solution.

To hear this conversation in its entirety, download our podcast Living on the Edge and hear Patrick Townsend further discuss deployments on the edge, achieving a strong security posture with key management, and other ways that businesses can secure their private data.

Podcast: Living on the Edge

Topics: Encryption Key Management, Alliance Key Manager for Edge Computing

Blog-CTA-VMware-CSP
 
The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 
 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all