Townsend Security Data Privacy Blog

VMware allows customers to use native vSphere and vSAN encryption to protect VMware images and digital assets.  But as we know, to truly protect private data, encryption keys must also be properly stored and managed. I recently sat down with Patrick Townsend, Founder and CEO of Townsend Security, to talk about vSphere and vSAN encryption, deploying multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability, as well as meeting compliance regulations and security best practices for your organization.  Additionally, we talked about Alliance Key Manager for VMware and how it is helping businesses protect their sensitive data.

VMware virtualization has been a game-changing technology for IT, providing efficiencies and capabilities that have previously been impossible for organizations constrained within a traditional IT data center world.

It is really great to see VMware, as a company, stepping up to embrace encryption for vSphere and vSAN.  Introduced in vSphere 6.5 and vSAN version 6.6, encryption allows users to protect data at rest. Additionally, there is a really great key management interface, which provides an excellent path to store and manage keys.  While these versions have been out for a while, many customers are just now getting around to upgrading and can take advantage of VMware's native encryption. With VMware, organizations are able to reduce hardware costs, lower operational cost, and provides a clear a path to move to the cloud. With the addition of encryption, you can deploy secure environments where there is less risk of data loss in the event of a breach.

Let’s dive in a little more and talk about vSphere and vSAN encryption.  Can you walk me through how an organization might deploy encryption and key management?

Sure. I think in a typical VMware environment, organizations are already doing some encryption in their applications.  For example, they may be running Microsoft SQL Server in a VM and using Transparent Data Encryption (TDE) to protect the data.  With the new facilities, you now get the ability to encrypt right in the VMware infrastructure itself. There is one thing that I think VMware did really well, and they have proven this over and over again, is that they have laid out a certification process for key management vendors, which gives VMware customers confidence that they are purchasing and deploying a solution that has been vetted by VMware themselves.  Our Alliance Key Manager, for example, has been certified for:

• vSphere encryption
• vSAN encryption

In terms of deploying key management, it is easy. We recommend using both a production key server and a failover key server. vSphere supports KMS cluster configurations which allow you to have a resilient encryption and key management architecture.  Aside from just being a security best practice, we are seeing our customers deploy two servers because they never want to lose access to their encrypted data. The servers synchronize in real-time and have automatic failover capabilities.

You can’t talk about key management without talking about compliance.  Whether it is PCI DSS, GDPR, or state and federal privacy laws, who doesn’t fall under compliance these days?

Yes, good question.  That is probably a very short list these days.  When you look at all the existing compliance regulations around the world, including the new GDPR, you realize that everyone falls under some compliance regulation, and most of us fall under multiple regulations.  Enterprises, big and small, public and private, fall under the same compliance regulations. Additionally, I have heard more from privately held companies that they think they are exempt - which is not true.

So you are correct.  Compliance regulations are driving a lot of uptake in encryption and I would say that lately GDPR is driving the most interest.  If you look at Article 32 and related recitals, the requirement to protect a data subjects information, there is a clear call for encryption. GDPR has put a new focus on the need to protect private data, as well as to take a broad view at what should be considered sensitive data.  It is not just a credit card number or social security number. Information like a phone number or email address can be considered sensitive data.

How is your Alliance Key Manager helping VMware users protect their private data?

Well, we have been helping VMware customers for a number of years  who are encrypting at the application level. Our Alliance Key Manager for VMware runs as a virtual software appliance and is binarily the same as our hardware security module (HSM). What is new, is that VMware opened the vSphere and vSAN and products to support encryption key management. Now VMware users can leverage the same key management solution for both application and VMware infrastructure encryption.

People often ask us, “How is your key manager different than your competitors”?  One thing that makes us stand out is that we are very diligent about meeting compliance requirements (PCI DSS, GDPR, HIPAA, etc.) and industry standards (FIPS 140-2, KMIP, etc.). Years ago, when we partnered with VMware, one of the first things we did was work with VMware and a QSA auditor to achieve a PCI compliance statement.  Customers can now be assured that when they deploy our Alliance Key Manager in VMware that they are meeting PCI compliance.

What else do VMware customers need to know about Alliance Key Manager for VMware?

Alliance Key Manager is a mature product that has been on the market for more than 10 years. It uses the same software that runs inside our Hardware Security Module (HSM), so customers can be confident that they are running exactly the same key management software that is FIPS 140-2 compliant and in use by over 3,000 customers worldwide.  Additionally, the security posture that the key manager allows, as well as the reference architecture that VMware provides, really gives VMware customers a road map to doing a secure installation.

The other thing that I think a lot of people might not realize is, that when they deploy Alliance Key Manager, they have our entire library of client side applications, SDKs, and sample code available to them.  For example, we have a Microsoft SQL Server TDE encryption component, support for MongoDB via KMIP, and sample SDKs for languages like Java, PHP, Python, etc. All of that comes along with the key manager and makes it easy to address security requirements.

Finally, I’d like to mention our partnership with VMware.  We are diligent about maintaining our certifications with Alliance Key Manager.  Doing this brings a level of confidence to the product for our customers. Prior to starting an encryption project they may be a little leery of key management because they have heard that it may be complicated.  That was true in the past. In fact, today it is actually extremely simple to deploy. Another barrier that we have knocked down is the scalability issue. Our solution works across multiple platforms - AWS, Azure, VMware or as an HSM.  They all talk to each other, and if one goes down, another will automatically fail over. That gives VMware customers the ability to be extremely flexible about how they deploy key management. It is not uncommon that our customers will deploy an application in the cloud, deploy a key manager in AWS, and then mirror those keys back to their on-premise VMware infrastructure. All of this is really straightforward and simple to deploy.

To hear this conversation in its entirety, download our podcast Protecting Data with vSphere & vSAN Encryption and hear Patrick Townsend further discuss protecting data in vSphere and vSAN with encryption and key management.

VMware users can now protect VM Images and vSAN with Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager.

Townsend Security is excited to announce that its new version of Alliance Key Manager fully supports VMware vSphere encryption for both VMware virtual machines (VMs) and for VMware Virtual Disk (vDisk). VMware users have been using Alliance Key Manager to protect data in application databases and applications to meet PCI DSS, GDPR, HIPAA compliance as well as other data privacy regulations. Now VMware users can use the same Alliance Key Manager solution with vSphere to protect virtual machines and virtual disks. Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.  

“Our customers have been using Alliance Key Manager to protect data in Microsoft SQL Server, MongoDB and other environments for many years. Now VMware users can have confidence that Alliance Key Manager can also protect VMware virtual machines and virtual disk to achieve the highest level of data-at-rest protection,” said Patrick Townsend, CEO of Townsend Security. “VMware users are looking for certified solutions that support their complex Windows and Linux environments without the need to deploy additional hardware-based HSMs. We are happy to announce this extension of our key management solution to help VMware vSphere users achieve a high level of data protection.”

VMware users are looking for affordable solutions that provably meet compliance regulations and which fit their budget and deployment goals. Alliance Key Manager meets this goal by providing NIST FIPS 140-2 compliance, PCI-DSS certification, and Key Management Interoperability Protocol (KMIP) compliance out of the box. Existing Alliance Key Manager customers can upgrade at no cost to extend their data protection compliance requirements to vSphere. New customers can deploy Alliance Key Manager without the fear of increased, unplanned licensing costs in the future.

In addition to PCI DSS, compliance regulations such as the European Union General Data Protection Regulation (GDPR), the HIPAA data security regulation, and many other data protection regulations, require the encryption of data at rest. Alliance Key Manager combined with vSphere encryption are the protection methods  to help you meet these regulatory requirements. “Don’t be fooled by vague language in the GDPR regulation. You must act to protect sensitive information of individuals in order to meet this regulatory requirement. You should act now to protect your organization,” said Townsend.

Alliance Key Manager for VMware is available for a free 30-day evaluation.

A Checklist for Meeting Compliance

What Information Do I Need to Protect with Strong Encryption?

Organizations starting an encryption project always have this question on their minds. It is a simple question, but can be hard to answer. Generally speaking, you should encrypt any information that alone, or when combined with other information, can identify a unique, individual person. This is called Personally Identifying Information, or PII. This should be your starting point, but you may need to address other information depending on the compliance regulations you must meet.

[For even more information on encrypting data in MongoDB, view our Definitive Guide to MongoDB Encryption & Key Management.]

---

Quicklinks:

Federal/State Laws and Personally Identifiable Information (PII)

EU General Data Protection Regulation (GDPR)

Educational Information Covered by FERPA

Federal Agencies and FISMA

Medical Information for Covered Entities and HIPAA/HITECH

Payment Card Data Security Standard (PCI DSS)

Financial Data for FFIEC Compliance

 

Federal/State Laws and Personally Identifiable Information (PII)

Federal and State laws vary in terms of what they consider Personally Identifiable Information (PII), but there is a lot of commonality between them. PII is any information which either alone or when combined with other information, which can identify an individual person. Start with this list of data items:

• Social security number
• Credit card number
• Bank account number
• First name
• Last name
• Address
• Zip code
• Email address
• Birth date
• Password or passphrase
• Military ID
• Passport
• Drivers license number
• Vehicle license number
• Phone and Fax numbers

 

EU General Protection Regulation (GDPR)

Under the GDPR youmust protect the personal data of an individual. The definition of “personal data” is quite broad and includes “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. This includes, but is not limited to:

• Social security number
• Credit card number
• Bank account number
• First name
• Last name
• Address
• Zip code
• Email address
• Medical information
• Birth date
• Password or passphrase
  
• Military ID
  
• Passport
  
• Drivers license number
  
• Vehicle license number
  
• Phone and Fax numbers

Personal data is broadly defined so an excess of caution should be applied to protection of individual information.

 

 

Educational Information Covered by FERPA

Educational institutions who fall under the FERPA regulations must protect Personally Identifiable Information (see above) as well as the following information:

• Student name
• Student ID number
• Family member names
• Place of birth
• Mother’s maiden name
• Student educational records
• Immunization records
• Health records
• Individuals with Disabilities (IDEA) records
• Attendance

 

Federal Agencies and FISMA

Federal agencies must evaluate their systems for the presence of sensitive data and provide mechanisms to insure the confidentiality, integrity and availability of the information. Sensitive information is broadly defined, and includes Personally Identifiable Information (see above), as well as other information classified as sensitive by the Federal agency. Sensitive information might be defined in the following categories:

• Medical
  
• Financial
  
• Proprietary
  
• Contractor sensitive
  
• Security management
  
• And other information identified by executive order, specific law, directive, policy or regulation

 

Medical Information for Covered Entities and HIPAA/HITECH

The HIPAA / HITECH Act defines Protected Health Information to include Personally Identifying Information (see above) in addition to the following Protected Health Information (PHI):

• Patient diagnostic information (past, present, future physical or mental health)
• Patient treatment information
• Patient payment information
• Medical record numbers
• Name
• Street Address
• City
• Zip code
• County
• Health plan beneficiary numbers
• Fingerprints and other biometric identifiers
• Full facial photographs and images
• Device identifiers and serial numbers
• IP address numbers and web URLs
• Any other individual identifiable information

 

Payment Card Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standards (PCI DSS) require that merchants protect sensitive cardholder information from loss and use good security practices to detect and protect against security breaches.

 

If you accept or process credit card or other payment cards, you must encrypt the following data:

• Primary Account Number (PAN)

You must also NOT store, even in encrypted format:

• Track 1 and Track 2 data
• Security codes (CVV, CVV2, etc.)

 

Financial Data for FFIEC Compliance

Banks, credit unions, and other financial institutions must protect Non-public Personal Information (NPI) which includes personally identifying financial information (see above). In addition to Personally Identifying Information above, you should protect:

• Income
• Credit score
• Collection history
• Family member PII and NPI

 

Encrypting Data in MongoDB

Townsend Security is helping the MongoDB community encrypt sensitive data and properly manage encryption keys. Developers who need to protect sensitive data know that storing their encryption keys within MongoDB puts their data at risk for a breach. With Alliance Key Manager for MongoDB, administrators are now able to keep their encryption keys secure by storing them remotely and only accessing them when the encryption/decryption happens. 

Alliance Key Manager for MongoDB is an enterprise key management solution that allows you to easily encrypt sensitive data with NIST-validated AES encryption and securely retrieve and manage encryption keys from Townsend Security’s FIPS 140-2 compliant Alliance Key Manager. With an easy to use interface and certifications to meet compliance requirements, you can rest assured knowing your data is secure.

 

 

 

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY:

THE PUBLISHER, THE AUTHOR, AND ANYONE ELSE INVOLVED IN PREPARING THIS WORK MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT
TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE

AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING,
OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

IBM i (iSeries, AS/400) users can now meet PCI security recommendations for multi-factor authentication with a mobile-based solution.

Today Townsend Security announced a major enhancement to Alliance Two Factor Authentication for IBM i to fully support the new Payment Card Industry (PCI) recommendations for multi-factor authentication with Authy. Authy (A Twilio company) is one of the most popular mobile-based authentication solutions and is in wide use to protect web credentials.

Townsend Security’s support for Authy means that IBM i (iSeries, AS/400) users can now deploy a popular and low-cost two factor authentication product without the expense of back-end hardware servers and hardware tokens. The Authy application installs on your mobile device or in your browser and provides Time-based One Time Passwords (PIN codes) on demand. Since Authy TOTP codes do not require a mobile network connection or an Internet connection, they are immune from gaps in connectivity to the network. Authentication on the IBM i platform simply requires opening the Authy application on your phone, viewing the one time code, and entering it on your IBM i signon screen. Alliance Two Factor Authentication then verifies the code with the Authy service and allows access to the IBM i platform.

Alliance Two Factor Authentication also now implements multi-factor authentication that is compliant with the new PCI guidance which requires that a user enter a user ID and password (something they know) at the same time that they enter their one time code generated by Authy on the mobile device (something you have). The Townsend Security solution implements a secondary user ID and password to use with Authy authentication to meet this level of compliance. A failed authentication on the IBM i server never discloses whether the user ID and password were invalid, or whether the one time code was invalid. This logic prevents the disclosure of important credential information that is common in Two Step Verification. An additional benefit to using the Authy application is that recovery from the loss of a mobile phone is simple and straightforward.

Because Authy uses a secure, time-based one time code and does not use SMS text delivery, it is secure and meets security best practices for authentication. Townsend Security’s Alliance Two Factor Authentication solution continues to support SMS text delivery of one time codes, but the new Authy facility is the default for new installations.

“IBM i users need an affordable two factor authentication solution that removes the expense and headaches of hardware-based solutions. By using your mobile phone for the generation of one time codes, you never have to worry about administering a large number of hardware tokens,” said Patrick Townsend, CEO of Townsend Security “The Authy service is secure, extremely affordable, easy to administer, and highly performant. IBM i customers can install Alliance Two Factor Authentication in a few minutes, provision an Authy account on their web site, and be using two factor authentication very quickly. It’s a fast path to PCI compliance and better security.”

You can find the PCI guidance document here.

Alliance Two Factor Authentication is licensed on a per logical partition (LPAR) basis, with perpetual and subscription licensing options available. Existing Alliance Two Factor Authentication customers on a current maintenance contract can upgrade to the new version at no charge.

Townsend Security, a MongoDB Technology Partner, achieves MongoDB Enterprise Certification for Alliance Key Manager.

Today Townsend Security, a leading authority in data privacy solutions, and MongoDB, the database for modern applications, today announced Alliance Key Manager has certified against MongoDB Enterprise.

MongoDB Enterprise simplifies data protection by providing native encryption of data at rest. When coupled with Townsend Security’s flagship encryption key management solution, Alliance Key Manager, meeting compliance (PCI DSS, HIPAA, etc.) and security standards is even easier and more affordable for large as well as small organizations.      

By centralizing the secure storage of encryption keys and governance with a FIPS 140-2 compliant solution, MongoDB users can easily generate a master encryption key and begin encrypting database keys using native command line operations with Alliance Key Manager.

“Alliance Key Manager for MongoDB gives organizations control of key management in a convenient and fast deployment option. With this joint solution it is simple for customers to encrypt their data in MongoDB Enterprise,” said Davi Ottenheimer, Product Security, MongoDB.

Encryption and key management have become a critical aspect of security and compliance management. Protecting encryption keys mitigates the risk of data breaches and cyber-attacks, as well as protects an organization’s brand, reputation and credibility. Alliance Key Manager addresses these needs by helping enterprises reduce risk, support business continuity, and demonstrate compliance with regulations like PCI DSS, HIPAA, GDPR, etc. 

“In the wake of some of the largest data breaches ever, data security is a top concern for businesses large and small. MongoDB has made it easier than ever for enterprises to secure private data with encryption and key management,” said Patrick Townsend, Founder & CEO, Townsend Security. “With Alliance Key Manager for MongoDB, MongoDB Enterprise customers have access to cost-effective, simplified encryption key management.”

Alliance Key Manager supports seamless migration and hybrid implementations, using the same FIPS 140-2 compliant technology. MongoDB users can deploy Alliance Key Manager as a hardware security module (HSM), VMware instance, or cloud-native Amazon Web Services (AWS) EC2 instance or Microsoft Azure virtual machine. Additionally, Alliance Key Manager supports hybrid and cross-cloud deployments. The solution is available for a free 30-day evaluation.

With mobile-based two factor authentication, Townsend Security offers customers an additional control to protect core security solutions from un-authorized access due to compromised credentials.

Today Townsend Security announces that its flagship Alliance Two Factor Authentication solution for the IBM i (AS/400, iSeries) has been enhanced to support SMS text delivery using the Twilio global cloud communications platform. Twilio’s self-service SMS text delivery platform makes it easy and affordable for customers to provision accounts under a SaaS model. IBM i customers only pay for what they use and can easily expand their use of the service over time.

“IBM i customers want security solutions that are affordable, easy to install, and easy to configure and administer. Our Alliance Two Factor Authentication solution requires no hardware or back-end internal infrastructure to deploy,” said Patrick Townsend, CEO of Townsend Security.

Two factor authentication is now a critical security control that every IBM i customer should be using to control access by highly privileged users. Customers can install Alliance Two Factor Authentication, provision the Twilio service online, and start using two factor authentication very quickly. The software will even identify your privileged users and help immediately enforce two factor authentication. The solution can be downloaded from www.townsendsecurity.com and includes a free 30-day evaluation.

“Many compliance regulations such as the PCI Data Security Standard (PCI-DSS) and others require or strongly recommend the use of two factor authentication (also called multi-factor authentication) to secure all non-console administrative access and all remote access regardless of privileges to core servers. A single IBM i server is often host to a large number of sensitive applications. It is common that IBM i customers run human resources, CRM, ERP and other applications on a small number of IBM i servers that then become a target for cyber criminals. The use of two factor authentication to protect highly privileged users is a security best practice. And it is now very easy to implement,” continued Townsend.

In addition to protecting the logins of highly privileged users, the Alliance Two Factor Authentication product also exposes a command interface to the Twilio SMS text service. This means that IBM i customers can now integrate SMS text authentication directly into their own applications. Need an out-of-band authentication for that multi-million dollar financial transaction? You can now do that directly from your business applications with the Send Text Message with Twilio (SNDTXTTWI) command and application program interfaces (APIs).

In addition to user authentication the new SMS text application support can be used for notification of significant application events. Your business applications can send a message when inventory runs low at a distribution center, when a business process has been delayed, or for any other critical business process. You can even embed links into the text messages to help users quickly solve problems and accomplish critical tasks.

Alliance Two Factor Authentication is licensed on a per logical partition (LPAR) basis, with perpetual and subscription licensing options available. Existing Alliance Two Factor Authentication customers on a current maintenance contract can upgrade to the new version at no charge.

Alliance LogAgent for IBM i now instantly records critical system events and integrates line-of-business applications with ServiceNow, the leading cloud-based solution for IT systems to instantly record critical system events.

Townsend Security today announced support for integration of IBM i servers and applications with ServiceNow, the leading cloud-based solution for IT system support problem tracking and resolution. Leveraging the ServiceNow REST web interface, Townsend Security’s Alliance LogAgent solution can now instantly record critical system events as ServiceNow Incident reports. Additionally, Alliance LogAgent also exposes an API command to allow IBM i customers the ability to integrate line-of-business applications with ServiceNow. When business applications encounter critical events or errors, these can be immediately visible to the IT administrative and security teams for rapid response and resolution.

“IBM i customers want to leverage the best of the new generation cloud-based service offerings. This new release of Alliance LogAgent gives them that ability right out of the box. Existing ServiceNow customers have all they need to record critical incidents in real time. IBM i users who are not currently ServiceNow customers can rapidly subscribe to ServiceNow and start enjoying the benefits of this leading IT Systems Service Management (ITSSM) solution,” said Patrick Townsend, CEO of Townsend Security.

“The power and stability of the IBM i system can integrate with the best of the cloud-based ITSSM solutions. It’s an easy win for IBM i customers, and those with existing system logging solutions will be happy to know that Alliance LogAgent can co-exist with existing technology, or IBM i customers can take advantage of our competitive upgrade program,” continued Townsend.

New ServiceNow features in Alliance LogAgent include:

Privileged User Access
Monitoring administrative access to IBM i servers is a critical compliance and security best practice. Alliance LogAgent can identify in real-time the privilege level of a user signing on to the system and report it to ServiceNow and to any SIEM solution. Alliance LogAgent is unique in its ability to dynamically identify the true privilege level of a user by examining the native authority of the user as well as authorities inherited from Group and Supplemental profiles. Cyber criminals often use privilege escalation as a starting point in an attack. Alliance LogAgent can now identify privileged user logons and raise a ServiceNow support incident.

User Profile Disabled
A common labor-intensive task for IT administrators is managing user accounts that are disabled due to an excessive number of password failures, or which are disabled due to a brute force attack. Alliance LogAgent will now automatically identify disabled user profiles in real-time and create a ServiceNow incident report. This gives the IBM system and security administrator rapid visibility and resolution for disabled profiles. Additional system security is provided by an out-of-band notification via ServiceNow of a potential attack in progress.

File or Object Change
An attacker often modifies a program or file on the IBM i server as a part of compromising sensitive data. For example, an attacker might modify the IBM i web server configuration file to direct users to malware on infected sites. IBM i customers can now identify both library and IFS objects for monitoring by Alliance LogAgent with reporting directly to ServiceNow. Early detection of modified programs and files can help an IBM i customer avoid a data breach.

Application Integration with ServiceNow
IBM i developers can now easily integrate business applications and processes with ServiceNow through a new command named Create ServiceNow Incident (CRTSVNINC). By embedding this command into user applications the IBM i developer can provide a wide set of incident creation capabilities. This new command builds on the ServiceNow REST interface without requiring complex communications or API logic in the business application. Using the ServiceNow command does not require the SIEM integration components of Alliance LogAgent. IBM i customers can use just the ServiceNow integration component, or combine its use with Alliance LogAgent SIEM integration.

Alliance LogAgent is licensed on a Logical Partition (LPAR) basis. Both perpetual and subscription licenses are available. Volume discounts are available. Additional charges apply to the ServiceNow application. Alliance LogAgent can be downloaded from the Townsend Security website for a free 30-day trial of the fully functional solution. ServiceNow integration requires a subscription license from ServiceNow. Trial subscriptions are available from their website at http://servicenow.com.

An excerpt from the White Paper "Introduction to Encrypting Data in MongoDB".

In fewer than ten years, MongoDB has risen to become a top player in nonrelational database providers, outcompeting and upsetting database monoliths such as OracleDB and Microsoft SQL Server. Built on a model of low up-front operational costs alongside improved performance, MongoDB has become one of the most widely growing databases for organizations across retail, financial, healthcare, and government entities.

Beyond cost and performance, a key component of MongoDB’s toolset is a robust plan to help customers achieve strong data security through encryption of data in flight and at rest, along with options to secure and manage encryption keys to meet industry compliance requirements and meet data security best practices.

If you are an organization who routinely considers security and compliance when purchasing third-party software, built-in security solutions can be hugely beneficial to your security and compliance strategy. However, like any new software, questions around deployment and how to get the most out of native encryption tools may still be a barrier to your success.

In order to paint both a broad and in-depth picture of how to best deploy encryption and encryption key management in MongoDB, let’s first start by discussing your options to encrypt data in your MongoDB database. If you’d like to first learn the fundamentals of encryption and key management before diving in, check out The Definitive Guide to Encryption Key Management Fundamentals.

Encrypting data in MongoDB

If you choose to encrypt your data, MongoDB offers solutions for encrypting data in motion as well as at rest.

Data-in-Motion Encryption

For securing data in motion, all versions of MongoDB support TLS (Transport Layer Security) and SSL (Secure Socket Layer) to send and receive data over networks. TLS and SSL are the types of encryption commonly used to secure website traffic and file sharing. They are cryptographic protocols that secure data while it is traveling from one point to another; however, before the data is sent and after the data arrives at its endpoint, the data appears unencrypted, or “in the clear”. MongoDB provides ample documentation on how to configure TLS and SSL protocols using certificates and public and private key pairs, also called asymmetric key systems. (Resource: TLS/SSL Configuration for Clients)

When considering encryption, enterprise customers must be aware of governmental and private regulations that require protecting sensitive information. For example, the Payment Card Industry (PCI) requires that credit card numbers be encrypted in storage. The HIPAA medical regulations require protection of Electronic Protected Health Information (ePHI). And there are many other regulations that require proper protection of Personally Identifiable Information (PII). A challenge for MongoDB users is that it is often difficult to know when sensitive information is being added to the database. The safe security strategy is to always encrypt the MongoDB database and use proper key management.

Data-at-Rest Encryption

To encrypt data at rest, MongoDB Enterprise offers native storage-based file symmetric key encryption, which means that users can use transparent data encryption (TDE) to encrypt whole database files at the storage level. First offered in version 3.2, MongoDB utilizes the Advanced Encryption Standard (AES) 256-bit encryption algorithm, an encryption cipher which uses the same secret key to encrypt and decrypt data. MongoDB also provides the option to turn encryption on in “FIPS mode”, which means the encryption you use in MongoDB is built to meet the highest standard and meet compliance. The Federal Information Processing Standard (FIPS) is a National Institute of Standards and Technology (NIST) validation that demonstrates your encryption algorithm has undergone rigorous tests. The NIST FIPS validation is often required for government and Department of Defense contractors; however, today NIST-validated AES encryption is considered an industry standard and is typically recommended or required by most industry-based compliance regulations. Data at rest encryption is only available on MongoDB Enterprise and Atlas editions using the required WiredTiger storage engine.

When encrypting data natively using TDE, it is important to know how encryption keys are stored in MongoDB. When a database file is encrypted, a unique, private encryption key is generated. Each encrypted database file generates a new private symmetric key, and all keys in your storage device are encrypted using a master key. While the database keys are stored alongside the encrypted data, the MongoDB never allows the master key to be stored on the same server as the encrypted data. This means that the database or security administrator must identify a secure storage location for the encryption key. MongoDB strongly recommends a third-party enterprise key management solutions; however, users have the option to store the key locally using a keyfile. This second option is extremely risky, and almost never recommended for key protection.

For even more information, view our Definitive Guide to MongoDB Encryption & Key Management.

To download this White Paper in it’s entirety, download “Introduction to Encrypting Data in MongoDB” and learn about Encrypting data-at-rest and in-motion in MongoDB, MongoDB vs SQL encryption, encryption performance, and what is key management.