+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Luke Probasco

Recent Posts

Townsend Security Provides NFR Licenses for Key Management Server (KMS) to VMware vExperts

Posted by Luke Probasco on Jan 7, 2020 12:00:00 AM

Alliance Key Manager, featuring full support for VMware encryption of VMs and vSAN, is now available free of charge to VMware vExperts.

Free NFR License to VMware vExpertsTownsend Security today announced that it offers free Not for Resale (NFR) licenses to VMware vExperts for Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS). The NFR license keys are available for non-production use only, including educational, lab testing, evaluation, training, and demonstration purposes. NFR Licenses are available here.

Alliance Key Manager enables VMware customers to use native vSphere encryption for VMs and vSAN to protect VMware images and digital assets while deploying a secure and compliant key management server (KMS). VMware users can deploy multiple, redundant (HA) key servers as a part of the KMS Cluster configuration for maximum resilience and high availability. The key manager is certified by VMware for use with vSphere version 6.5 and later, and for vSAN version 6.6 and later. 

Using the advanced cryptographic permissions in VMware vCenter Server, along with a KMS, VMware users can prevent internal/external threats and protect sensitive workloads. In addition to supporting vSphere encryption of VMs and vSAN, Alliance Key Manager supports application and database encryption deployed in VMware virtual servers.

“We are excited to provide VMware vExperts with Alliance Key Manager, our encryption key management server (KMS) for their test labs,” said Patrick Townsend, CEO of Townsend Security. “Protecting sensitive data continues to be a critical concern in IT, and an important part of both security and compliance efforts. Data-at-rest encryption options in vSphere are comprehensive and very easy to use. Alliance Key Manager seamlessly integrates with VMware’s encryption capabilities.”

Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.   VMware vExperts can request an NFR license of Alliance Key Manager for VMware here.

New call-to-action

Topics: Alliance Key Manager, Press Release

Alliance Key Manager Now Available for IBM Cloud for VMware

Posted by Luke Probasco on Dec 18, 2019 11:15:00 AM

Alliance Key Manager for IBM Cloud for VMware provides encryption and key management to help IBM Cloud for VMware customers meet data privacy compliance regulations and security best practices.

Key Management for IBM Cloud for VMware PodcastTownsend Security today announced Alliance Key Manager, its affordable FIPS 140-2 compliant encryption key manager, is available for IBM Cloud for VMware. By running Alliance Key Manager for IBM Cloud for VMware, enterprises can encrypt VMs and vSAN virtual directories and protect private information in their applications and databases with a dedicated key manager - with no access to encryption keys by IBM.

Working with VMware and Coalfire, Townsend Security’s Alliance Key Manager achieved compliance with PCI-DSS when implemented on a standard VMware reference architecture. Support for the PCI-DSS standard has smoothed the path to compliance for VMware customers in IBM Cloud. Additionally, Alliance Key Manager for IBM Cloud for VMware can also help businesses meet other compliance regulations such as GDPR, CCPA, HIPAA, GLBA/FFIEC, FISMA, etc.

“Customers want to experience regulatory compliance out-of-the-box. They don’t want to have to engage in lengthy audits and security validations in order to deploy applications to the cloud. PCI-DSS is one of those key indicator regulations and our commitment to provide proven regulatory compliance is a great benefit to our VMware customers,” said Patrick Townsend, CEO of Townsend Security. “We take data security compliance issues off of the table and this really helps our customers. With this announcement we are extending formal support for our solutions to the IBM Cloud for VMware.”

As enterprises move to IBM Cloud they bring their sensitive data with them. With Alliance Key Manager for IBM Cloud for VMware, organizations can encrypt their VMs and vSAN storage that are managed by vSphere. Leveraging the KMIP interface in vSphere users can define one or more key managers to protect the encryption keys used to encrypt VMs and vSAN. Alliance Key Manager is certified by VMware for all versions of vSphere and vSAN that support encryption.

“Encrypting VMs and vSAN storage provides a rapid path to meeting security best practices and compliance regulations. There is no limit to the number of VMs or vSAN storage pools that you can protect,” continued Townsend. “I am proud of our team for creating a truly affordable solution for VMware key management. Small businesses should contact us for information about special small business pricing.”

Alliance Key Manager for IBM Cloud for VMware is available for a free 30-day evaluation.

Key Management for IBM Cloud for VMware Podcast

Topics: Press Release, Alliance Key Manager for IBM Cloud for VMware

SQL Server Standard Edition & Transparent Data Encryption (TDE)

Posted by Luke Probasco on Dec 17, 2019 8:16:00 AM

Like Microsoft SQL Server Enterprise Edition users, SQL Server 2019 Standard Edition users can now easily meet compliance regulations (PCI DSS, GDPR, CCPA, etc.) and protect private data like customer PII and intellectual property without modifying existing applications or the database.  By using the database’s Transparent Data Encryption (TDE) capability, coupled with Extensible Key Management (EKM), and an encryption key manager, organizations can protect their private data at a lower cost.

SQL Server Standard Edition & TDEI recently sat down with Patrick Townsend, Founder and CEO of Townsend Security to talk about TDE in Microsoft SQL Server 2019 Standard Edition and what it means for smaller businesses who don’t have Enterprise Edition, as well as deploying encryption key management in the cloud.

Patrick,  It was great to see Microsoft bring Transparent Data Encryption to the standard edition of SQL Server 2019.

We were pleased to see Microsoft announced that SQL Server 2019 Standard Edition would support Transparent Data Encryption (TDE) and Extensible Key Management (EKM).  By doing this, Microsoft was able to bring encryption and proper key management to a huge user base and not require them to make application changes, which can be a barrier for some companies.  TDE and EKM were originally introduced back in SQL Server 2008 Enterprise, so the technology itself has been around a while. There are a lot of users of the Standard Edition of SQL Server and by lowering the technical and financial bar to protecting private data, companies of all sizes can easily protect their private information - including customer information and IP.

As you mentioned, TDE and EKM are considered a pretty mature technology at this point.  You have had an EKM provider for Enterprise Edition for over 10 years, right?

Yes! Since the initial release of TDE and EKM in Microsoft SQL Server 2008, we have been proud to offer an affordable, industry leading solution - and now extend that to SQL Server Standard Edition users.  As far as platforms go, we started a decade ago with a hardware security module (HSM), though most of our customers are now running VMware environments or are in the cloud (AWS, Azure, IBM Cloud). Fortunately, because all of the platforms that we offer our key manager on run exactly the same software, we are able to maintain our FIPS 140-2 compliance.  We even have customers running hybrid deployments with key managers in the cloud and on-premises.

It is really easy to get started as well.  Deploying an enterprise encryption key management solution  used to take several months and lots of resources but can now be done relatively quickly.  Essentially, here is what you need to do:

  • Set up Alliance Key Manager (just takes a few minutes)
  • Install our EKM provider software on your instance of SQL Server
  • Configure SQL Server
  • Turn on TDE

That’s it!  It is a very straightforward deployment.

By using standards based encryption, Microsoft is positioning their customers for success.  But they still leave key management up to the customer.

Yes, and standards are just as important with key management as they are with encryption.  People often think that the encryption algorithm is the secret part of securing data and don’t realize the importance of key management.  Only YOU should have access to your encryption keys - and this goes for administration of the key manager as well. Enterprises need to look for a FIPS 140-2 validation and avoid multi-tenant solutions offered by CSPs.  On more than one occasion I have heard customers say that prior to using Alliance Key Manager they were storing their keys in an Excel spreadsheet, on a USB key, or even burnt in their application code. Not very secure locations, to say the least, and the keys were very likely not “cryptographically strong.” Encryption keys based on passwords will never meet minimum standards for strong encryption keys. Keys should be generated using a cryptographically secure random bit generator (CS-RBG) validated to international standards.

On the topic of Cloud Service Provider key management, while key management solutions offered by CSPs can provide some convenience, they leave an organization’s encryption keys accessible to third-party administrators - increasing the risk to their security posture.  Finally, bringing it back to SQL Server, remember, it is poor security practice to store encryption keys locally to the SQL Server database. It takes a hacker just a few seconds to recover those keys!

Let’s dive into this a little deeper, because I think there is a little confusion in the market. I attend Pass every year, and when people think about key management, they sometimes talk about using open source software or even storing their encryption keys in something like “Last Pass”.

People need to understand that an encryption key manager is more than just a secure key store.  A key manager like our Alliance Key Manager creates and manages encryption keys through their entire lifecycle.

I’d like to elaborate a little more on CSP-offered key managers like AWS KMS or Azure Key Vault, since I think many people are familiar with these offerings.  If you look at Information Supplement: PCI SSC Cloud Computing Guidelines, you’ll find them state: 

“Because compromise of a Provider could result in unauthorized access to multiple data stores, it is recommended that cryptographic keys used to encrypt/decrypt sensitive data be stored and managed independently from the cloud service where the data is located.”

This is a pretty common sense warning from the PCI Security Standards Council.  Consolidating services under one shared umbrella dramatically increases an organization’s risk.

True Key Management Systems (KMS) need to go where your data goes - on-premise, cloud, multi-cloud, or VMware.  Alliance Key Manager is a full enterprise key management system. The AWS KMS, for example, is a key storage facility and can’t leave the AWS cloud, which provides CSP lockin.

And when thinking about the security principles of Confidentiality and Availability, it just doesn’t make sense to use something other than a full-fledged key manager.

You’re right.  Again, with Confidentiality, you don’t want your CSP to have administrative access to your keys.  In terms of Availability what about high availability? What if you need to run applications that deal with private data in multiple clouds?  By using an enterprise level key manager, enterprises can rely on a centralized key manager to protect their data regardless of where it resides or will in the future.

Also, for those who are using older versions of SQL Server Standard Edition, you can use Netlib's Encryptionizer along with our Key Connection for Encryptionizer to transparently encrypt private data.

To hear this conversation in its entirety, download our podcast SQL Server Standard Edition & TDE to hear Patrick Townsend further discuss encrypting data in Microsoft SQL Server Standard 2019, encryption key management in the cloud, and the importance of data security standards.

SQL Server Standard Edition & TDE

Topics: SQL Server encryption

IRI FieldShield Supports Townsend Security’s Alliance Key Manager

Posted by Luke Probasco on Dec 12, 2019 12:00:00 AM

Multi-Source Data Masking Software Now Encrypts and Decrypts with Keys in Cloud, VMware, or HSM Platforms

FieldShield AKM SchematicInnovative Routines International (IRI), Inc., a leading provider of data masking software, and Townsend Security, a leading authority in data privacy solutions, have enabled IRI FieldShield to use encryption keys stored and managed in Townsend Security’s Alliance Key Manager servers. The integration gives DBAs and “data security governance” professional a robust, compliant way to encrypt or decrypt data at rest in many sources.

A multi-year rise of hacking incidents and privacy law violations has driven demand for data-centric security. “Masking data in FieldShield using AES encryption, and protecting those encryption keys with Alliance Key Manager can help mitigate the risk of data breaches, and protect an organization’s brand and reputation,” observed Patrick Townsend, Founder & CEO of Townsend Security. “This is especially relevant given laws like the California Consumer Privacy Act (CCPA), which contemplates encryption of sensitive data in order to avoid class action lawsuits,” he added.

FieldShield classifies, discovers, and masks personally identifiable information (PII) in relational and NoSQL databases, and a wide range of structured file formats on-premise or in the cloud. Multiple encryption functions -- including format-preserving encryption -- are among its 15 masking categories. FieldShield users can assign a unique passphrase to serve as an encryption key for one or more data classes (columns or fields). The keys allow the restoration of original values from ciphertext when used with the corresponding decryption function.

Alliance Key Manager provides the security of TLS-authenticated access to FieldShield passphrases stored in VMware, Microsoft Azure, Amazon Web Services, or a private or dedicated Hardware Security Module (HSM). This assures that only authorized users can access the key server and obtain the keys to decrypt.

FieldShield users can generate the keys using either the native command line or web interface to Alliance Key Manager. “Centralizing storage of FieldShield passphrases through Alliance Key Manager not only gives our users FIPS 140-2 compliant key security, but also a more convenient way to manage their encryption keys,” according to IRI developer Devon Kozenieski.

About IRI
Founded in 1978, IRI develops fast data management and data-centric security software through 40 cities worldwide. IRI’s proven data manipulation engine -- and its free Eclipse job design environment -- provide uniquely price-performant and versatile data lifecycle solution software for big data and BI/DW architects, data security and compliance teams, DBAs, and developers. Gartner recognizes IRI FieldShield, CellShield, DarkShield as static and dynamic masking solutions for structured, semi-structured, and unstructured data sources.

Topics: Alliance Key Manager, Press Release, IRI FieldShield

Seamless Encryption Key Management for Microsoft SQL Server 2019 Standard

Posted by Luke Probasco on Dec 11, 2019 12:00:00 AM

Alliance Key Manager supports Transparent Data Encryption (TDE) in Microsoft SQL Server 2019 Standard Edition. 

Encryption & Key Management for SQL Server - Definitive GuideTownsend Security today announced Alliance Key Manager, its affordable FIPS 140-2 compliant encryption key manager, supports Microsoft SQL Server 2019 Standard Edition.  Users of Microsoft SQL Server Standard Edition can now easily meet compliance (PCI DSS, GDPR, CCPA, etc.) and protect private data like customer PII and intellectual property without modifying existing applications or the database.  By using the database’s Transparent Data Encryption (TDE), coupled with Townsend Security’s Alliance Key Manager for SQL Server, organizations can protect their private data at a lower cost.

Alliance Key Manager, a FIPS 140-2 compliant encryption key management solution, allows enterprises to effectively encrypt data and meet security requirements in less time with a flexible, centralized offering. The solution provides full life-cycle management of encryption keys for a wide variety of applications, including Microsoft SQL Server Enterprise and Standard editions.

“We were pleased to see Microsoft announced that SQL Server 2019 Standard Edition would support TDE and EKM, bringing encryption and proper key management without application changes to their popular Standard Edition. By lowering the technical and financial bar to protecting private data, companies of all sizes can easily protect private information,” said Patrick Townsend, Founder and CEO of Townsend Security.  “Since the initial release of TDE and EKM in Microsoft SQL Server Enterprise ten years ago, we have been proud to offer an affordable, industry leading solution - and now extend that to SQL Server Standard users.”

Microsoft SQL Server users can deploy Alliance Key Manager as a hardware security module (HSM), VMware virtual machine, or in the cloud as a native AWS EC2 instance or Microsoft Azure virtual machine. Alliance Key Manager supports seamless migration and hybrid implementations, providing Enterprise’s with options for their high availability strategy. 

“By providing both on-premise and cloud solutions, Enterprise's can easily rely on a centralized key manager to protect their data regardless of where it resides or will in the future. Further, while key management solutions offered by CSPs provide convenience, they leave an organization’s encryption keys accessible to third-party administrators - increasing the risk to their security posture,” continued Townsend. “Our simplified licensing model that avoids charging by the number of endpoint databases and number of keys, makes the upgrade to SQL Server 2019 Standard Edition a no-brainer for many Microsoft users. Microsoft has really done well by its customers.”

Alliance Key Manager for SQL Server is available for a free 30-day evaluation.

Encryption

Topics: SQL Server, Press Release

Living on the Edge

Posted by Luke Probasco on Dec 9, 2019 8:02:59 AM

As the world of edge computing becomes more distributed, billions of connected devices live on the edge, which need to be secured, managed and automated. For many businesses, this means deploying a VMware and cloud infrastructure and using VMware vSphere, for example, to encrypt private information.  While it is easy enough to encrypt data on the edge, key management has proven to be a challenge.

Podcast: Living on the EdgeI recently sat down with Patrick Townsend, Founder and CEO of Townsend Security to talk about deployments on the edge, achieving a strong security posture with key management, and other ways that businesses can better secure their private data. 

Patrick, Townsend Security has had key management solutions for VMware for a number of years. What is special about Edge computing?

Well, Edge computing is fascinating.  It isn’t really that different from how we currently think about computing and data security in the cloud or on-premise. By moving applications closer to the end user, Edge computing brings a better, faster user experience to the end user.  So, if you are running an application in the cloud, perhaps in a retail or healthcare environment, the delay over the network can degrade the experience or inhibit the ability to collect a lot of data, for example, from IoT devices. Edge computing is a natural evolution of making things more efficient with a better user experience.  However, Edge computing also brings new security challenges too. If we are collecting data that is sensitive in nature, it is just as sensitive out on the Edge as it is in our data center.

So what is special or different about Edge computing from a security point of view?

There are a number of challenges.  How do we deploy applications in a secure way?  How do we do application patching? One of the most important security efforts that we make is to keep everything patched and up to date.  When you have Edge computing, there are a lot more environments in distant locations. The security process really becomes more complex when we move to Edge computing.  Those challenges can be solved, but they represent things that we really need to pay attention to.

At the same time, as we are pushing applications out to the Edge, compliance regulations are getting more stringent.  Just look at the California Consumer Privacy Act (CCPA) and GDPR before it. Both of those are making the protection of sensitive data much more important.  The risks of data loss to an organization are escalating, and at the same time, we are pushing data to more and more places - so we have a big security challenge that we need to step up to.

Protecting data data in a centralized IT data center is a challenge, but one that we are used to.  Edge computing brings unique problems with it. For example, let’s say you pushed some data out to a dozen Edge computing environments.  You’ll need to encrypt that data to meet compliance, but where is the key manager? Is it back at your central on-site data center? If so, you may have just lost the advantage of pushing everything to the Edge.  Encryption and key management also need to be pushed out to the Edge in order to meet security best practices, just as you would in on-premise environments.

In terms of the cloud, can you give some examples of Edge environments?

Sure.  In the Cloud, we try to deploy applications close to the end-customer which gives us better response times and a better customer experience.  So, in AWS or Azure, we can move applications closer to where the end-customer lives. CSPs are making this easier by automating some of the deployment tasks.  By pushing applications to the Edge, you get really close to the physical location of the customer. For example, if you live in Sweden, you don’t need to connect to a key manager that is sitting back in Silicon Valley.  You should connect to a key manager that is near you. When moving to the Edge, encryption and key management need to move with you.  

By the way, you may have noticed that VMware has been working much more closely with Cloud Service Providers to provide true VMware infrastructure on cloud platforms.  For example, on Azure, you can deploy a full bare metal stack - VMware in the cloud and managed the way you want. But again, when you push those VMware environments to the Edge, what about the encryption key management?  The good news is, that with our new Alliance Key Manager for Edge Computing, we can make that easy and affordable to accomplish.

How about some examples of non-Cloud Edge environments?

Almost all of us use VMware on premise, and it isn’t really all that different to what we are currently doing.  Think of a medium or large retail organization with hundreds or thousands of storefronts. When you walk into the store, there is a very good chance that there is a local VMware node out there that is running many applications.  Think about a large box store with retail, pharmacy, and automobile services. The VMware environment in a single store might support dozens or hundreds of specialized applications. How do you protect data in that environment? Sometimes when we think of Edge computing we think of “just” the cloud, but this isn’t the case.  Again, just like with the Cloud, it doesn’t need to be difficult to push encryption and key management to the Edge, it just needs to get done.

How do compliance requirements impact Edge computing?

Well, compliance requirements, which are getting stronger as we speak, make the challenge of Edge computing even more important to address.  If you think about it, when we have centralized IT processing, we have one environment to protect. It may be a very data rich environment with sensitive data that cybercriminals may want to steal - but it something that isn’t that difficult to protect.  What if we have 500 of those environments out there across on-prem and cloud locations? The attack surface has been dramatically increased. The data is still important and still a target, but now we have a lot more to deal with. I think people are waking up to the security challenge and need to focus just as much effort on securing data at the Edge as we do at the centralized, on-premise data center.  We have to deploy all of our security defenses at the Edge in the same way that we do with core IT systems. The data is the same.

How is Townsend Security trying to help resolve this challenge.

The barriers to getting Edge data protection right are only party technical.  Key management vendors have not adapted to the new reality of the Edge. The huge expense of traditional KMS solutions is the primary barrier to protecting data at the Edge.  For small businesses, they can even be completely priced out of the market around doing encryption and key management right. Large organizations have been priced out as well.  When there are hundreds or thousands of endpoints that need protected, vendors need to step up to help these businesses secure their data.  

At Townsend Security, we have two distinct advantages.  First, our Alliance Key Manager for Edge Computing solution is virtualized, automated, and VMware Ready.  For example, our key management solution has been certified by VMware for vSphere key management - to protect VMs and vSAN storage.  We are seeing many organizations deploy VMware at the Edge. Second, we have the ability to flexibly license and price our solutions for the Edge.  Enterprises can now deploy full VMware VM encryption and key management at Edge with an affordable solution.

To hear this conversation in its entirety, download our podcast Living on the Edge and hear Patrick Townsend further discuss deployments on the edge, achieving a strong security posture with key management, and other ways that businesses can secure their private data.

Podcast: Living on the Edge

Topics: Encryption Key Management, Alliance Key Manager for Edge Computing

Press Release: Alliance Key Manager for Edge Computing

Posted by Luke Probasco on Dec 4, 2019 12:00:00 AM

New, scalable pricing for Alliance Key Manager customers running in edge computing environments.

Townsend Security is extending support of its cloud, container, and VMware Ready key management solution, Alliance Key Manager, to customers running applications and databases in edge computing environments. This new offering provides scalable pricing for customers running a large number of edge computing environments in remote cloud or on-premise deployments. The new offering is called Alliance Key Manager for Edge Computing and will make it easy and affordable for customers to take encryption and proper key management everywhere it needs to go.

Podcast: Living on the Edge“Edge computing requires that applications and infrastructure move closer to end users to achieve performance and availability goals. For edge computing customers, this often means that application deployments move to cloud or remote on-premise facilities. Think of a retail box store that may have hundreds of applications in every store. Or, think of an HMO with multiple hospitals, clinics, and remote providers. There is often a pain point around encrypting that information and deploying encryption key management at the edge to protect sensitive data,” said Patrick Townsend, CEO of Townsend Security. “Encryption key management solutions are too expensive and too difficult to manage in these highly distributed edge computing environments. Those are the problems that we are helping to solve with our new offering.”

Encryption and key management have become a critical aspect of security and compliance management. Edge computing deployments can involve VMware clusters, Cloud web services, Big Data IoT collection, and many other architectures. Protecting encryption keys mitigates the risk of data breaches and cyber-attacks, as well as protects an organization’s brand, reputation and credibility. Alliance Key Manager for Edge Computing addresses these needs by helping enterprises reduce risk, support business continuity, and demonstrate compliance with regulations like PCI DSS, HIPAA, GDPR, etc.

“With the California Consumer Privacy Act (CCPA) due to go into effect on January 1, 2020, it becomes more important than ever to protect sensitive consumer and household data with strong encryption. Strong encryption with proper encryption key management is the only protection from class action lawsuits under the CCPA. Wherever your data goes it is subject to a data breach. With edge computing, the data is in more places and is more exposed to loss,” continued Townsend. “Townsend Security’s new Alliance Key Manager for Edge Computing provides the technical support and affordability that businesses need to protect sensitive data at the edge for CCPA.”

Alliance Key Manager for Edge Computing is available for a free 30-day evaluation.

Podcast: Living on the Edge

Topics: Press Release, Alliance Key Manager for Edge Computing

Press Release: Alliance Key Manager Now Supports Encryption Key Management for MySQL Enterprise Edition Database

Posted by Luke Probasco on Nov 19, 2019 12:00:00 AM

Townsend Security’s Alliance Key Manager for MySQL offers unparalleled security, flexibility and affordability for all users of MySQL Enterprise Edition and MySQL Cluster CGE. 

What Data Needs Encryption In MySQL?Townsend Security today announced Alliance Key Manager for MySQL, an affordable FIPS 140-2 compliant encryption key manager to help users of the MySQL Enterprise Edition database meet compliance requirements (PCI DSS, GDPR, CCPA, HIPAA, etc.) and security best practices. Users of the MySQL database can now easily protect private data like customer PII and intellectual property without modifying existing applications or the database by using the database’s Transparent Data Encryption (TDE) coupled with Townsend Security’s Alliance Key Manager for MySQL.  

While MySQL offers industry standard 256-bit AES encryption, it is recommended to use an external encryption key management solution like Alliance Key Manager for MySQL to manage the encryption keys. Alliance Key Manager uses the industry standard Key Management Interoperability Protocol (KMIP) to access encryption keys and MySQL users can deploy the solution and install the PKI certificates on the database server to easily begin protecting encryption keys.

"MySQL is the world’s most popular open-source database, and consequently, stores enormous amounts of sensitive data," said Patrick Townsend, CEO of Townsend Security. "MySQL Enterprise Edition includes standards based encryption, along with KMIP support for key management, and MySQL users can be confident that they are protecting their private data against a breach and meeting compliance requirements.” 

MySQL encrypts data at rest in real-time using industry standard AES algorithms prior to writing to storage and decrypted when read from storage. As a result, hackers and malicious users are unable to read sensitive data from tablespace files, database backups or disks. By using native MySQL command line operations, encryption is easy to deploy and keys can automatically be protected by Townsend Security’s Alliance Key Manager. MySQL users can deploy the key management solution as a hardware security module (HSM), VMware virtual machine, or in the cloud as a native AWS EC2 instance or Microsoft Azure virtual machine. Alliance Key Manager supports seamless migration and hybrid implementations. 

“Encryption and key management is easier than ever and I think that MySQL Enterprise Edition users will be delighted to find how easy and affordable it is to deploy an enterprise-class centralized encryption key management solution,” continued Townsend. “Protecting PII, enterprise IP, and meeting compliance regulations are all things that enterprise’s are concerned with on a daily basis. MySQL databases are used in mission-critical applications by large and small organizations, so the real-time high availability failover capability of Alliance Key Manager will make IT administrators very happy. By pairing MySQL and Alliance Key Manager, security teams can rest a little bit easier.”

Alliance Key Manager for MySQL is available for a free 30-day evaluation.

What Data Needs To Be Encrypted in MySQL?

Topics: Press Release, Alliance Key Manager for MySQL

Don’t Let Your Application or Database Limit Your Encryption Strategy

Posted by Luke Probasco on Sep 23, 2019 8:37:27 AM

Historically, encryption and key management have been deployed at the application or database level. There are even several databases who’s “Enterprise” edition (like Microsoft SQL Server or MongoDB, for example) include options for encryption and external key management built right in the database. Unfortunately, these types of databases are the exception, rather than the rule. If you were to examine an organization's IT infrastructure, you are more likely to find a wide variety of databases and applications, some natively supporting encryption, some not, and many containing unprotected private information or personally identifiable information (PII). Simply put, their encryption strategy has been limited due to cost and resources required to properly protect private information. 

Podcast: Don't Let Your Application or Database Limit Your Encryption StrategyFortunately, these same enterprises have deployed VMware infrastructure, and starting with vSphere 6.5 and vSAN 6.6, are able to encrypt sensitive workloads in VMware using the advanced cryptographic features in vCenter. To put it a little more simply, businesses can protect their sensitive information in their internal applications and databases that don’t natively support transparent encryption with tools offered by VMware.

I recently sat down with security expert and CEO, Patrick Townsend, to talk about how enterprises can leverage VMware’s vSphere and vSAN to encrypt private data - regardless of whether their applications or databases support encryption. 

Hi Patrick. Let’s jump right in. With the introduction of vSphere encryption in 6.5 and vSAN 6.6, it has become much easier for businesses to encrypt private data. In the past they have relied on encryption at the application level or used the encryption that comes with their database. With so many enterprises deploying VMware, they no longer need to let their application or database limit their encryption strategy.

That’s absolutely correct. There are databases like Microsoft SQL Server and MongoDB EA, for example, that have encryption built right in - which makes it easy. But there are other times when encryption can be much more difficult. SQL Server Standard edition and the Community edition of MySQL, for example, do NOT support encryption. So, you have these widely used databases, with lots of unprotected data because that can be a challenge to encrypt. Using vSphere and vSAN encryption is a great way to address these gaps in an organization's encryption strategy with industry standards-based encryption. 

Sometimes the barrier to encryption is the cost of upgrading databases to “Enterprise” editions. Almost all of us are running VMware in our infrastructure anyway, so in many cases we already have the tools we need - the encryption support is there, we just need to use it. VMware even provides excellent guidance for encrypting databases, like Oracle and SQL Server, for example.

So, one of the most obvious questions. How is performance?

This is always a concern that people bring up. I can say that VMware has done a great job with performance in both encrypted VMs and vSAN - and performance continues to improve. These days, you can even deploy a large database on vSAN. This is a technology that has matured and gained the trust of customers, and they are adopting it at a rapid rate. There is also some really good material from VMware about performance expectations - white papers, solutions briefs, etc. Furthermore, both vSphere and vSAN take advantage of the Intel AES-NI on-chip accelerator for encryption, which provides a great performance boost.

Of course the key manager is the critical component that ensures the encrypted data stays encrypted. Without proper key management, it is like leaving the keys to your house under the welcome mat. What should our readers be looking for in a key manager?

Here is something that I think VMware did right. You must use a key manager in order to activate vSphere encryption of VMs or vSAN encryption. Within vSphere you are able to create a KMS cluster, define failover key managers, multiple KMS clusters, etc. They did a great job. Furthermore, VMware based their interface on the Key Management Interoperability Protocol (KMIP) industry standard. Other databases vendors, for example, allow local storage of encryption keys. That is really such a BAD security practice, so I am glad that VMware saw implications of that. If you are going to use VMware encryption, you are going to use proper encryption key management and that will be much better from a security perspective. I also think that this reflects on VMware as a company and their concern for their enterprise customers.

What to look for in a key manager? All enterprise level key managers are validated to FIPS 140-2 by the National Institute of Standards and Technology (NIST). Be absolutely sure you key management vendor has completed this validation. Secondly, your key manager should support the KMIP protocol. Finally, if you are taking credit cards for payments, look for a PCI validation. We validated our Alliance Key Manager with both Coalfire and VMware, as a joint project. This helps our customers easily get through an audit, which can be quite difficult.

While I have you, I was hoping you could also offer some clarification on the term KMS. For example, VMware defines KMS as a Key Management Server. Amazon defines their KMS as a “Key Management Service.” How should our readers be thinking about a KMS in regards to VMware encryption?

Ah, the chaos of three letter acronyms. KMS, in general terms, means Key Management Server. It is a broad term covering key management devices that manage the entire lifecycle of a key - from creation to destruction. You are right, Amazon does call their key management service KMS, which can lead to some confusion. This service is NOT to be confused with a key management server - and does not give you full control over the entire key lifecycle. It is a shared administrative environment where you share access to the keys with Amazon.

You need to approach cloud service provider (CSP) implementations of key management services with trepidation. It is important for YOU to hold exclusive access to your keys and that only you have the only administrative control. Cloud lockin can be another concern as well.

To hear this conversation in its entirety, download our podcast Don’t Let Your Application or Database Limit Your Encryption Strategy and hear Patrick Townsend further discuss Encrypting applications and databases that don't natively support encryption, encryption performance, and other fundamental features of an enterprise grade key manager.

[Podcast] Don't Let Your Application or Database Limit Your Encryption Strategy

Topics: Encryption Key Management, VMware, vSphere, vSAN

Case Study: Indus Systems

Posted by Luke Probasco on Jul 16, 2019 8:13:57 AM

indus-LogoIT Solution Provider Helps Customer Protect vSphere and vSAN Encryption Keys with Alliance Key Manager for VMWare

 


“As our customers face new and evolving compliance regulations that require them to encrypt private data, we needed a partner that could provide easy and affordable encryption key management for VMware.

- Kushal Sukhija, Technical Director

 
Indus Systems
Indus Case StudyAs processes are becoming more complex, competitive and demanding, businesses are constantly exploring new ways to deploy effective solutions. Indus Systems (www.indussystem.com), over the years, has synchronized their team to offer best-of-breed solutions from leading technology partners, coupled with their Professional Services to help customers to protect their Information Technology investment, reduce costs and grow business. Their IT Solutions increase people efficiency, reduce infrastructure footprint, which acts as catalyst towards quantum business growth. Indus Systems thrives to be a hand-holding partner in their customers’ journey.
With over 15 years of experience and 300+ happy clients, Indus Systems offers solutions in:
  • Business Continuity
  • Core Infrastructure
  • Network & Security
  • Mobility
  • User Devices
  • Professional Services 

 

The Challenge: vSphere / vSAN Encryption Key Management

Based in India, Indus Systems is increasingly finding their financial customers concerned with meeting the Securities and Exchange Board of India (SEBI) requirements for protecting private information. According to the SEBI framework, which came into force on April 1, 2019, “Critical data must be identified and encrypted in motion and at rest by using strong encryption methods.”

JM FinancialWith SEBI’s new cyber security framework, JM Financial Asset Management Ltd turned to Indus Systems for guidance on how to better protect their data. JM Financial Asset Management Ltd, an Indus Systems customer of 10 years, were due for a technology refresh. As part of the project, the company would rely heavily on VMware and protecting private data with vSphere and vSAN encryption.

Knowing that for encryption to be truly effective it needs to be coupled with encryption key management, Indus Systems and JM Financial Asset Management Ltd visited VMware’s Solution Exchange in search of a VMware Ready key management solution.

The Solution

Alliance Key Manager for VMware

“After visiting VMware’s Solution Exchange and finding Townsend Security’s Alliance Key Manager as a VMware Ready solution that had been certified by VMware for use with vSphere and vSAN encryption, we knew that we could easily help customers like JM Financial Asset Management Ltd meet SEBI’s encryption requirements,” said Kushal Sukhija, Technical Director, Indus Systems.

With Alliance Key Manager for VMware, organizations can centrally manage their encryption keys with an affordable FIPS 140-2 compliant encryption key manager. Further, they can use native vSphere and vSAN encryption - agentless - to protect VMware images and digital assets at no additional cost. VMware customers can deploy multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability.

“Alliance Key Manager proved to be an affordable and easy to deploy solution that we will be able to offer our customers beyond JM Financial Asset Management Ltd,” continued Sukhija. “Further, as part of our due diligence, we started
a Proof of Concept (POC) with another key management vendor as well. After getting halfway through the project, we could quickly see that their solution was getting complicated and expensive - something that we could not recommend and deploy for our customers.”

By deploying Alliance Key Manager for VMware, Indus Systems was able to meet their organization’s and client’s needs to protect private data at rest in VMware.

Integration with VMware

“VMware’s native vSphere and vSAN encryption make it easy to protect VMware images and digital assets. With Townsend Security’s Alliance Key Manager, we were able to protect our data with no additional agents or additional costs as JM Financial Asset Management Ltd scales their IT infrastructure,” said Sukhija. With a low total cost of ownership, Alliance Key Manager customers can leverage the built-in encryption engine in VMware enterprise, with no limits imposed to the number of servers or data that can be protected.

By achieving VMware Ready status with Alliance Key Manager, Townsend Security has been able to work with VMware to bring affordable encryption key management to VMware customers and the many databases and applications they run in VMware Enterprise. VMware Ready status signifies to customers that Alliance Key Manager for VMware can be deployed in production environments with confidence and can speed time to value within customer environments.

Indus Case Study

 



Topics: Alliance Key Manager, Case Study

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all