+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Patrick Townsend

Recent Posts

On a Journey with Managed Service Providers (MSPs) for a Better Encryption KMS Solution

Posted by Patrick Townsend on Aug 10, 2020 3:30:31 PM

Every now and then something completely unexpected happens that changes your life. No, I’m not talking about the COVID pandemic - that’s a completely different story. What happened for me is that in the course of my work in business development of our key management server (KMS), I met the CEOs of two different Managed Service Providers (MSPs) and they welcomed me into their world. With grace and patience, they helped me leave behind my preconceived notions about software sales and introduced me to how their world works. Neither of these two CEOs were obligated to mentor me and to give me their time, but I am so grateful that they did. It opened a new vision for me and our team here at Townsend Security.

If you work at an MSP firm, I hope you will read on. I will tell you how I turned my lessons into real benefits for the MSP.

VMware Cloud Providers & MSPs - Win New BusinessManaged Service Providers are varied in what they do, but at the core of their business is the desire to provide IT expertise, hosting facilities, business continuity and disaster recovery, and lots of other IT services to small and large organizations. They do everything from fixing user PCs to deploying top-end servers, security, and cloud services. Expertise is at the core of the value they provide to organizations. During the COVID crisis, they are on the front lines of trying to help everyone migrate to work-from-home and they are trying to secure that environment.

They are just some of the quiet, hidden heroes who don masks and rush into data centers and offices to keep us all operational. They provide great value to organizations especially in the current crisis. These MSPs taught me about their business and about the difficulties they have with key management vendors. In a time when security is top of mind for their customers, they struggle with a KMS industry that is stuck in the past. We were definitely one of those. As we talked, the light came on for me. All of the problems they were having with KMS vendors were problems that we could solve! All it took was a commitment from us, and a change in our business practices.

Here are some things I learned from my MSP CEO mentors:

  • Their businesses run on a usage-based model. For example, they might host a VMware environment for an end customer and charge them on the basis of the number of Virtual Machines (VMs) or vSAN storage they manage on a monthly basis. They provide immediate, on-going value to their customers and they prove their worth on a day-to-day basis.
  • They deploy third-party software solutions to help them accomplish their mission. They prefer to use software solutions that match their business model. For example, some of the common backup solutions like Veeam can be deployed by MSPs on a per-month, per-VM basis. It’s great when an MSP can deploy these types of solutions on a usage basis. It is how they run their business and greatly reduces their risk. KMS vendors are not helping.
  • MSPs live in a complex technical world, and they have special needs from their software vendors. They probably deal with more technical complexity than any other IT segment. Hardware, software, Windows, Linux, security, networking, cloud, smart phones – where does it end? This means they need software solutions that are easy to install, deploy, manage and report on.
  • An MSP deals with a lot of software “vendors”. What they really need are software
    “partners”. A software vendor sees the MSP as a resource (money) extraction
    opportunity. A partner is someone who saddles up and goes into battle with you. With a partner, you will either win together or lose together. This is an incredibly important distinction to the MSP, and a really big challenge to the software vendor.
  • The MSP needs more than a software solution from a partner. With all of the complexity of the services an MSP delivers, the MSP needs help from the software partner to sell the solution, to support the solution, and to be a trusted advisor. Can the software partner help with sales collateral? How about with joint sales calls? Can we do joint webinars and podcasts that help build confidence in customers and potential customers?

Here at Townsend Security we live in the world of data security. We have encryption and key management solutions to protect data at rest. We have a number of MSP customers. Before I had the conversation with our MSP mentors, we approached each of our MSP customers the way any legacy software company would. We offered the basic perpetual and subscription licenses. We have always been very price competitive, but it was basically a take-it-or-leave it approach. We charged for each key manager that we sold.
We were a perfect example of the “vendor” problem the MSP experiences. So, we set out on a journey to see if we could align our business with MSPs and become the “partner” they want and need. It meant changing a lot of our assumptions and business practices. You will know when you have a true partner when they lean in with their marketing and technical teams to make you successful. Our goal is to be that partner!
Here are some of the things we’ve done:

  • Adopted a Pay-As-You-Go model for MSP partners. We now charge a very small monthly fee for each encrypted VM or database. Gone are the perpetual and annual subscription licenses. Scale up or scale down as you like. We get paid when you get paid. Full stop.
  • Dropped all upfront fees or annual minimums. We are aiming for perfect cost and
    revenue predictability for your MSP business.
  • Stopped counting the number of key management servers the MSP runs. The MSP
    deploys key servers in the way that makes sense. Multiple physical hosting sites, on-premise deployments, Disaster Recovery as a Service (DRaaS), encrypted storage? We don’t care, we are all in.
  • We trust the MSP to deliver their services and expertise on their hosting or cloud
    platform, and on their customer’s premises. MSPs conduct their businesses in a variety of ways. If we achieve true partner status you will feel that we are fully behind you and support you and take the risks with you.
  • We train the MSP on how to deploy our solution. We have video, on-line
    documentation, and one-on-one training to help you get up and running quickly. We don’t charge for training; we just lean in to help you get the job done.
  • We support the MSP with 24/7/365 business interruption support program at no extra charge. Support is built right into the low monthly fee.
  • Provide sales support by doing joint customer calls, answering security questions, and providing guidance on meeting compliance regulations. We don’t charge for helping you close a sale; we will win the deal together.
  • Provide sales collateral that includes sell sheets, educational material, joint webinars and podcasts, and much more. We don’t charge for sales and marketing collateral.

I feel like I’ve been on a fast learning track and have gained some great new friends. They are sharing with us what they need, and we are leaning in to help them be successful. It is an immensely rewarding experience.

Here is what one of our MSP customers said:

“You said the magic words of MSP and Low cost, consumption based! We’ve struggled to find a KMS solution we can properly price and sell to our customers to do VM encryption. Solutions like XXXXXX are prohibitively expensive. Your low cost per encrypted VM per month is very reasonable. I’m glad those MSP’s helped you understand our market and that you were able to see the opportunity. You NEED to be marketing this. You’re solving a problem that MSP’s a) don’t think they can afford to fix, and b) are just ignoring the compliance of because it’s “too hard and too expensive.” I highly encourage you to get the word out through marketing to MSP’s. Thank you, Patrick. You made my day.”

If you are an MSP we would like to “make your day.” You can start your journey here

Evaluations of our Alliance Key Manager are available at no charge. We provide technical
support through the evaluation at no charge. Let’s do this together!

Patrick

Encryption Key Management for VMware Cloud Providers

Topics: Partner, Hosting Providers, MSP

Encryption for VMware Hosting Providers and MSPs

Posted by Patrick Townsend on Jun 8, 2020 8:58:16 AM

This blog is an excerpt from the white paper Delivering Secure VMware Hosting with Encryption & Key Management.


Delivering Secure VMware Hosting with Encryption and Key ManagementVMware is the most trusted name in on-premise computing infrastructure. Its ease of use and administration, reliability and security provide exceptional services to small and large organizations alike. As organizations move to the cloud, there are now a large number of VMware hosting partners and managed service providers (MSPs) who provide off-premise deployments of VMware and an extensive array of VMware management and administrative services. This white paper discusses how Townsend Security is helping VMware hosting providers meet the challenge of encryption and encryption key management, while supporting the usage-based business model core to many of these hosting providers.

VMware Architecture and Benefits

The benefits of VMware in the data center are now well recognized. Reduction in hardware and utility costs, reduction in administrative costs, improvement in managing ever-changing workloads, resilience and business continuity, and exceptional security are just some of the primary benefits. This is why VMware is the leading infrastructure virtualization technology on a global basis.

In recent years VMware has embraced the movement to the cloud with key partnerships with leading cloud service providers. What is less well known is that VMware has spawned and supports a broad set of hosting providers that serve local and regional markets. These VMware hosting providers also provide the expertise and managed services that many large cloud providers do not. 

The growth of the VMware hosting provider eco-system provides important support for VMware customers. Customers now have many options for managing their VMware infrastructure on premise or at a VMware hosting provider data center. Many customers maintain both on-premise and hosted environments to meet their business needs. The VMware eco-system is growing and resilient, and an important part of the IT services landscape.

VMware and Security

While VMware has always been a leader in IT security, the company recognized the importance of encryption and proper encryption key management to meet security best practices and evolving compliance regulations. In 2016 VMware released version 6.5 of vSphere which enabled built-in support for encryption of virtual machines (VMs) and virtual storage (vSAN). In any encryption strategy, it is important to protect the encryption keys using a purpose-built key management security system that secures the keys away from the protected information. The VMware security architecture integrates with a key management server (KMS) to protect the encryption keys that are used by ESXi and vSAN. The interface between vSphere and the key management server is based on the Key Management Interoperability Protocol (KMIP), an open standard for KMS systems. 

In vSphere the administrator defines a primary key manager and one or more failover key managers using the KMS Cluster module. vSphere manages the failover to a backup key server in the event the primary key server is not available. This also enables failover to a disaster recovery VMware node in an automatic fashion. The result is a robust implementation of encryption with key management based on the open OASIS KMIP standard and deployed in a highly resilient fashion.

VMware Hosting and MSP Partners

VMware hosting partners and MSPs are called on to deploy proper security in the VMware infrastructure. Security is largely provided by native VMware applications such as NSX and others. However, the deployment of a key management system depends on support from third party KMS vendors. Townsend Security is one of those vendors with its Alliance Key Manager solution.

Unfortunately, most enterprise KMS systems are expensive, difficult to deploy, lack needed failover reliability, and have complex licensing and management requirements. Many VMware hosting providers provide their infrastructure and services on a usage-based model. Enterprise KMS systems generally do not fit this delivery, reporting and billing model.

Townsend Security is solving this problem by providing its Alliance Key Manager solution on a usage basis. VMware hosting providers will benefit from the Townsend model as it matches their business delivery model and makes KMS affordable to their end customers. When your encryption key management strategy lines up with your business model you are able to manage your growth in a predictable way.

Delivering Compelling Hosting and Services

VMware hosting providers and MSPs are rapidly changing the way that VMware customers are managing their IT infrastructure. These VMware partners are filling a services and support gap left by typical, large cloud service providers. Hosted VMware infrastructure, Disaster Recovery as a Service (DRaaS), automated backup and recovery, and expertise on demand provide compelling value to VMware end customers. 

Townsend Security’s Alliance Key Manager is filling the KMS gap for VMware hosting providers and MSPs by providing an Enterprise KMS system that matches the way they do business. Gone are the complexities of sourcing, deploying, licensing and administering a KMS for the VMware environment. Townsend Security empowers the VMware hosting provider with on-premise and customer premise solutions for every VMware KMS need.

Delivering Secure VMware Hosting with Encryption and Key Management

Topics: Hosting, Encryption Key Management, VMware

Data Security for Working Remotely - Needed Now More Than Ever

Posted by Patrick Townsend on Mar 27, 2020 7:29:13 AM

We are all working from home now. At least, in the technology world that seems to be true. What does this mean from a security standpoint? Here are a few thoughts:

Data SecurityTechnology workers (programmers, project managers, customer support staff, pre-sales engineers, etc.) are generally pretty comfortable with remote work. This is the result of a multi-year trend driven by talent shortages, distributed organizations, and out-sourcing. However, traditional finance and administrative workers tend to be more office-centric. They are rapidly adjusting to working at home and figuring out how to balance work in a home environment. Kids in your space? Yup, it’s a big adjustment for everyone when you suddenly move from office to home.

With COVID-19, we are doing work-from-home to better protect our colleagues, our families, and our friends and community. It is critical that we do physical distancing and get it right. It is truly a matter of life and death. 

I believe that there are security implications to this change, too. Corporate systems are at more risk. 

When we move workers from the office to home, we expand the attack surface. Our home PCs and networks have probably not had the same security scrutiny that office systems have. But those home PCs now have access to the corporate network. There is a lot of use of VPN, Remote Desktop Protocol (RDP), and terminal emulators like GoToMyPC to get connectivity. I think in a lot of cases the security exposure has increased as we deal with the COVID-19 pandemic. 

We need to take this expanded threat to our corporate systems seriously. Cybercriminals will happily use any new weakness to access our sensitive data. It may be a lot easier to break into your home network and jump to the corporate network.  Here are some things you can do right away:

  • Start reviewing home PCs and networks like you would internal systems. And start with your system and network administrators. They often hold highly authorized credentials. Create a special team to get this done as quickly as possible. 
  • Make a prioritized list of your application databases that hold sensitive data. Or, if you have the list, do a quick review and update as needed. You probably have some databases that are easy to protect with encryption and good encryption key management.
  • These databases are fast and easy to protect: Microsoft SQL Server (TDE), MySQL, MongoDB, and Oracle Database. You can get these common databases under encryption protection very quickly. 
  • Do you use VMware for your IT infrastructure? You probably do. It is very fast and easy to implement encryption of VMs and vSAN. This is a fast and easy win.
  • Get management buy-in. We all know that we have an emergency on our hands. Enlightened management will get on board quickly. They are going to have to approve new human resource assignments and some new budget. 

We are in uncharted territory with COVID-19. Here at Townsend Security we are committed to helping you survive this challenge. We will help you get the data security you need. Just talk to us.

Patrick

The Encryption Guide eBook

Topics: Security Strategy

Enterprise Key Management System (KMS) vs Cloud Key Service (KMS, Key Vault)

Posted by Patrick Townsend on Mar 16, 2020 3:38:00 PM

I am often asked about public cloud provider encryption key services like AWS KMS and Azure Key Vault. There are substantial differences between an Enterprise Key Management System (we have one) and the key services provided by Amazon and Microsoft (and Google has one, too). Enterprise Key Management Systems provide dedicated, full lifecycle key management under your exclusive control. Cloud key services provide a small subset of encryption key management support, in a non-dedicated, multi-tenant, shared environment. 

Perhaps the best way to show the differences is in a side-by-side table comparing our Alliance Key Manager for AWS and Azure, and Cloud Service Provider (CSP) key services:

Feature

Alliance Key Manager

Cloud Key Service

     

Standards

   

FIPS 140-2 Compliant

Yes

Back end only

OASIS KMIP compliant

Yes

No

     

Operational

   

Dedicated control

Yes

No, Shared Custody

Cross cloud

Yes

No

Mirror keys to on-premise

Yes

No

On-premise to cloud seamless migration

Yes

No

Backup off cloud

Yes

No

Key mirroring across regions/zones

Yes

No

Migrate to HSM

Yes

No

Automatic failover across regions/zones

Yes

No

     

VMware and Kubernetes

   

VMware encrypted VM support

Yes, certified

No

VMware encrypted vSAN support

Yes, certified

No

VMware vTPM support

Yes

No

     

Database & Application

   

SQL Server TDE support

Yes

No

MongoDB Enterprise Advanced support

Yes

No

MySQL Enterprise support

Yes

No

IBM DB2 support

Yes

No

Drupal

Yes

No

     

SDKs

   

Java

Yes

Yes

.NET (C#)

Yes

No

Python

Yes

Yes

C/C++

Yes

Yes

PHP

Yes

No

Perl

Yes

No

RPG

Yes

No

COBOL

Yes

No

 

Download Alliance Key Manager

Topics: Encryption Key Management

Microsoft SQL Server Standard Edition and TDE Encryption

Posted by Patrick Townsend on Mar 12, 2020 10:00:27 AM

Microsoft handed everyone a big gift with SQL Server Standard Edition 2019. The Standard edition of SQL Server did not previously support encryption. Surprise! Now it does. Prior to this new version, SQL Server Standard customers had to upgrade to the Enterprise Edition, or install a third party encryption solution. Upgrading to the Enterprise Edition was expensive for many small to midsize Microsoft customers, so bringing encryption to Standard Edition with 2019 is a big deal.

Let’s take a dive into SQL Server Standard Edition 2019 and the encryption support:

How Encryption is Implemented

SQL Server Standard Edition & TDEMicrosoft implemented encryption in Standard Edition by bringing the EKM Provider architecture from the Enterprise Edition to the Standard Edition. This means that Standard Edition users have access to the same encryption and key management capabilities that are available in the Enterprise Edition. This is great news for Microsoft customers as most are running both Standard Edition and Enterprise Edition in their IT infrastructure. You can now deploy the same encryption and key management solution across your Standard Edition and Enterprise Edition databases. If you are using Transparent Data Encryption (TDE) in the Enterprise Edition, you can now do the same thing in Standard Edition.

Earlier Versions of Standard Edition and Upgrades

The new encryption capability for Standard Edition is only in the 2019 release (version 15.x). Earlier versions of SQL Server Standard Edition will not be upgraded to support encryption. To take advantage of encryption in Standard Edition you have to upgrade to the 2019 release. You do NOT have to upgrade to the Enterprise Edition!

Encryption Key Management

How you manage encryption keys is crucial to your encryption strategy. SQL Server provides you with two key management options:

  • Locally stored on SQL Server
  • Deployment of a key management server through the EKM Provider interface

The only secure way to manage your encryption keys is through the use of a key management system that is registered and accessed through the EKM Provider interface. Our Alliance Key Manager for SQL Server solution implements support for the EKM Provider interface and provides you with all of the software you need to protect SQL Server encryption keys.

Compliance Regulations

Many Microsoft customers are rushing to implement encryption in order to meet the new California Consumer Privacy Act (CCPA) requirements. Your only protection from class action lawsuits in the event of a breach is through encryption of sensitive data, and proper protection of encryption keys. Storing encryption keys on the same server as the protected data will NOT provide you with CCPA protections. See California law AB 1130 for more information about encryption key management and data breaches.

Cloud Considerations

It is very common to deploy SQL Server Standard Edition in a virtual machine on a cloud platform. You can easily do this on Microsoft Azure and Amazon Web Services (AWS). When you deploy SQL Server Standard Edition 2019 in the cloud you have full access to the encryption key management using the EKM Provider interface. Be aware that many cloud service provider database services (AWS RDS, Azure SQL, etc.) do not support the EKM Provider interface and limit your ability to deploy key management. If you are concerned about cloud independence be sure to avoid these types of Database-as-a-Service offerings. 

You can run Alliance Key Manager as a dedicated key management server for your SQL Server Standard Edition database applications in Azure and AWS. You will find Alliance Key Manager in the Azure and AWS Marketplaces. You can even run Alliance Key Manager in your own data center and protect SQL Server in the cloud. You are never locked into a cloud platform.

ISV Solutions with SQL Server Standard Edition

Many software solutions are built on SQL Server Standard Edition. SQL Server is an affordable relational database and you will find it in both cloud-based SaaS solutions as well as on-premise solutions for the Enterprise. For our ISV partners we make it easy to embed our Alliance Key Manager solution into your software offering to achieve better security and compliance. If you are an end customer running an ISV application and you need encryption, talk to us about an introduction to your vendor. We will make it easy for your software vendor to upgrade and support encryption.

Alliance Key Manager for SQL Server

For more than a decade we have been helping Microsoft SQL Server customers achieve the best security for their database and applications. We now fully embrace encryption and key management for SQL Server Standard Edition. As an end user or an ISV partner, there is an affordable and easy-to-use solution waiting for you. You can learn more here.

SQL Server Standard Edition & TDE

Topics: SQL Server, Transparent Data Encryption (TDE), SQL Server encryption

Do You Have Encryption Key Management Server (KMS) Sticker Shock?

Posted by Patrick Townsend on Mar 10, 2020 9:11:45 AM

In any industry you will probably find a number of really responsible vendors, and of course, you will find the outliers and the outlaws. It is true in the security vendor community, too. There are a core group of responsible vendors, there are those that exaggerate the capabilities of their products, and there are those who just charge as much as they can get away with. I guess that is just human nature.

Download Alliance Key ManagerWhen I set out 15 years ago to bring encryption and key management solutions to market, I knew that the existing Key Management Server (KMS) products were highly priced and out of reach for most companies and organizations. A KMS vendor once told me that they did not want to work with any customer who did not want to spend at least $10 Million or more on their solution! I wanted to create a KMS solution that would be in reach for the average business, non-profit, and local government agency. Everyone deserves to deploy a really good security solution to protect their employees and their customers. We’ve now passed the 10-year anniversary of the first release of our Alliance Key Manager solution, and I am proud of the price disruption we created in every part of the KMS market – on-premise HSMs, VMware software appliances, and in the cloud (AWS, Azure).

I had a real shock this last week. Maybe things have not changed as much as I thought.

A prospective customer sent me a price quote from one of the mainstream KMS vendors. Their company wanted to purchase two key manager HSMs to protect 12 SQL Server databases. Look at how this was priced (numbers rounded):

Two key management HSMs:                                 $ 90,000

Annual software support for the HSMs:                  $ 16,000

 

12 Endpoint licenses for SQL Server                       $ 73,000

Annual software support for the endpoints:           $ 15,000

                                                                                 ========

Total:                                                                       $ 194,000

Unbelievable !!!

This company was going to pay $106,000 for two key managers, and THEN pay for each database that had to be encrypted. There is no reason on Planet Earth why this customer should have to pay so much to protect a small number of databases. I feel sorry for them if they have other databases they need to protect as they will have to pay for each of those, too. It is not hard to see how this cost would rapidly escalate as the company worked to protect more data - and it is clear that the average small business or organization could never afford this solution.

Let me show you how we would price our solution for the same requirement:

Two key management HSMs:                                 $ 30,000

Annual software support and maintenance:         $ 6,000

 

12 Endpoint licenses for SQL Server                     $ 0

Annual software support and maintenance:         $ 0

                                                                                 ========

Total:                                                                        $ 36,000

That’s right. For the same solution we would save this customer $158,000 out of the starting gate. Further, we would save them even more as they deployed encryption over additional databases - and the software maintenance costs would escalate, too.  How can we save you this much? Easy, we ask a fair price for our key management solution, and we don’t charge you at all for each database or application. If you purchase a key manager, we want you to use it for every security project you have. You don’t need to keep dredging up money each time you want to use the key management solution. With our pricing policy, it would be easy to envision saving this customer several MILLION dollars in KMS costs over a period of a few years!!!

Can you think of something you could spend that money on? Raises, new hires, new technology, business investment, and so much more. I am sure you can think of something useful to do with those funds. This kind of cost can drag a company down and reduce its competitiveness. This is outrageous.

You are not trapped and you have choices. Just talk to us.

In addition to being affordable, we make it easy to evaluate our Alliance Key Manager solution. You can now download it from our website, get access to documentation and quick start guides, and get access to full technical support.

You have options, just talk to us.

Patrick

Download Alliance Key Manager

Topics: Alliance Key Manager, Encryption Key Management

Microsoft SQL Server with Security Enclaves and Always Encrypted

Posted by Patrick Townsend on Mar 4, 2020 7:27:19 AM

Microsoft introduced Always Encrypted in SQL Server 2016 as a way to protect data in SQL Server databases. Always Encrypted runs on a client side system and encrypts data before it is stored in the SQL Server database. This provided some new protection for sensitive data stored in SQL Server - at least the server administrator and the DBA would not have access to the sensitive data. Or, that was the idea.

Encryption & Key Management for SQL Server - Definitive GuideAlways Encrypted suffered from severe limitations and did not achieve wide acceptance and deployment. The types of SQL queries and operations you could perform were minimal. You could not do basic SQL query operations that most businesses rely on. So Always Encrypted has not been deployed much.

Microsoft is attempting to address these limitations in a facility called Secure Enclaves. Secure Enclaves is a special operating environment that runs on SQL Server itself. You can think of it as a special virtual environment that can’t be accessed by a server administrator or DBA, but which can decrypt sensitive data from the database and perform those more complex SQL operations. SQL Server runs in one environment, and Secure Enclaves is a separate, more secure environment on the same server that runs those SQL requests against decrypted data. 

Processing data in a Secure Enclave means that the encrypted data has to be decrypted. How does that happen if the encryption key is on the client-side system and not on the SQL Server system? There are now special drivers on the client-side system that will send the encryption key to the Secure Enclave when needed. 

So, is this more secure? That is a hard question to answer. Here are some things to think about:

  • Protected execution environments, like Secure Enclaves, have their own security concerns. The operating system hypervisors that manage these secure environments bring their own attack surface. Adding new attack surfaces brings more risk.
  • The client-side implementation of Always Encrypted also adds an attack surface. Again, the more places that are potentially open to an attacker the more risk you bear.
  • In many cases, client-side systems are not as well protected as core SQL Server systems. Think of a user PC in your organization, or think of a remote office server. User and remote systems are notoriously hard to protect well. 
  • Encryption key management is the linchpin of your encryption strategy. Unfortunately, Always Encrypted has limited options for deploying industry standard key management. Always Encrypted supports storing encryption keys in the Windows Certificate Store and in Azure Key Vault. It does not support the industry standard Key Management Interoperability Protocol (KMIP). This means you are very limited in terms of your key management options. 
  • Using the Windows Certificate Store to protect your Always Encrypted encryption keys may not be compatible with the California Consumer Privacy Act (CCPA) -and using Azure Key Vault may violate PCI Data Security Standards (PCI DSS) cloud guidance. 
  • A core aspect of your encryption key management strategy is monitoring who has access to encryption key credentials, and reporting on access failures. When the encryption is performed on the client system by Always Encrypted, you may have limited ability to monitor activity and detect unauthorized access attempts. That further complicates your security posture.

My thoughts:

One of the primary goals of Always Encrypted and Secure Enclaves is to protect sensitive data by implementing Separation of Duties. That is, ensuring that system administrators and DBAs do not have access to both protected data and the encryption keys. This is a core security principle when protecting data-at-rest. 

You can achieve Separation of Duties by using a proper key management solution like our Alliance Key Manager. By assigning key management duties to a security professional, and isolating key management responsibilities from DBAs, you achieve the heart of the Separation of Duties goal. I believe that when properly implemented, a SQL Server Transparent Data Encryption (TDE) implementation with good key management gives you a very strong security posture without the risks involved with Always Secure and Secure Enclaves. Of course, you have to do a lot of other things to secure your Windows server and SQL Server. Proper encryption and key management is only one part of your overall security strategy.

Microsoft is doing a lot of things right in the area of data protection. The recent implementation of encryption for SQL Server Standard Edition 2019 is exactly the right thing to do. It puts encryption and key management in the hands of a lot of SQL Server users who have not had access to this technology. I hope that Microsoft will eventually embrace open standards for encryption key management in Azure and in other Microsoft products. This will be a great step forward for Microsoft customers.

Patrick

Encryption

Topics: SQL Server, Security Enclaves

Microsoft SQL Server Encryption in AWS - Without Cloud Lock-In

Posted by Patrick Townsend on Feb 28, 2020 10:00:14 AM

Interest in Microsoft SQL Server database encryption is booming! What is driving the sudden rush to encrypt sensitive data? Certainly the new California Consumer Privacy Act (CCPA) is a part of this. Just a few days after the CCPA became law the first class action lawsuit was filed. No business wants to deal with a class action lawsuit, and encryption is the only safe harbor from class action lawsuits.

Encryption & Key Management for SQL Server - Definitive GuideWe have to give some credit to Microsoft, too. In the past, database encryption was only available in the Enterprise editions of SQL Server. Upgrading from SQL Server Standard, Express and Web editions was an expensive proposition. Then (... SURPRISE! ...) in November 2019 Microsoft announced that SQL Server Standard Edition 2019 would also support encryption in the same way that the Enterprise edition does. It was a great Holiday gift to the many thousands of SQL Server users and ISVs who need to meet compliance regulations.

And the continued publicity about data breaches, ransomware, state actors, and new zero-day exploits continued to elevate everyone’s awareness of the threats to their sensitive data. So encryption is suddenly hot.

Let’s take a look at using SQL Server encryption in Amazon Web Services (AWS). 

Encryption Key Management

If you’ve been following this blog series you know how important key management is to an encryption strategy. That is even more true in the AWS environment. While Amazon makes available a proprietary key service, it can’t be used with databases like SQL Server that implement vendor or open standards. And AWS KMS is a shared encryption key service - both you and Amazon have access to your keys. So, before you start your SQL Server encryption project, be sure to get your key management strategy right.

Local Master Key Storage

When you implement encryption with SQL Server you have a choice about where you store the master keys. You can store them next to the SQL Server database (bad), or you can store the keys in an external key management system using the SQL Server Extensible Key Management (EKM) interface (better). Using an external key management system through the EKM interface is the only way to protect your data under CCPA, and it’s a best security practice. That is what we will focus on for the rest of this blog. 

SQL Server and Extensible Key Management (EKM) Provider

Starting in SQL Server 2008 Enterprise, Microsoft implemented database encryption and added the EKM Provider interface for encryption key management. This interface pre-dated the modern KMIP interface, but provides a similar architecture for integrating encryption key management for SQL Server. The EKM Provider architecture has been a part of SQL Server Enterprise since that release more than a decade ago. Our customers have performed many upgrades to SQL Server and the EKM interface has been stable and reliable. 

The EKM Provider architecture is essentially a set of rules for implementing a plug-in module for SQL Server to integrate with a key manager such as our Alliance Key Manager for SQL Server. You code a Windows DLL to the specification, register it to SQL Server, run an activation command in the SQL Server console, and you have encrypted your SQL Server database! It is fast, easy and straightforward.

Key Management in the Cloud

Now you need a key manager that implements the EKM Provider interface, and you need a place to deploy that key manager. Our customers usually deploy Alliance Key Manager directly from the EC2 console and the AWS Marketplace when they want a dedicated key manager that runs within AWS. Alliance Key Manager runs in an EC2 instance, is dedicated to you (not shared with Amazon or us), and provides the EKM Provider software at no additional charge. You just: 

  • Launch Alliance Key Manager
  • Answer a few configuration questions
  • Download the certificates that SQL Server needs
  • Configure the EKM Provider
  • And activate it

In a short period of time you can fully protect SQL Server with strong encryption and proper key management.

Key Management Outside of the Cloud

Some Microsoft SQL Server users want full control of their encryption keys outside of the AWS cloud. This is incredibly easy! You can deploy Alliance Key Manager as a VMware instance in your on-premise data center, then configure the SQL Server EKM Provider to connect to the on-premise key server. The EKM Provider interface is exactly the same in all Alliance Key Manager platforms. You will need to set network permissions in AWS, and allow a connection to the on-premise key server, but that’s it. You can get key management outside the AWS cloud very easily. Additionally, if you initially deploy in the cloud and want to migrate to your own data center, that is also fast and easy.

Key Management Across AWS Regions

Many AWS customers deploy their applications in different AWS regions in order to achieve a higher level of resilience and reliability for failover. Alliance Key Manager can fully support this approach. You can deploy the production key manager in the same region as your AWS application, and deploy the failover key manager in the remote AWS region where your failover runs. Once configured, they will automatically synchronize the keys and access policy, and will give you an optimal, real time failover across the AWS region boundary. 

Business Continuity and High Availability

The key manager you deploy with SQL Server has to match the high availability strategy you use with SQL Server and your applications. This means the key manager has to fail over in real time. Alliance Key Manager mirrors keys in real time in an active-active configuration. If your database and applications are designed for continuous operation, Alliance Key Manager will give you the immediate failover support you need - and that can be cross-region, outside the cloud, and even across cloud service providers.

Unlimited Databases

Most of our Microsoft SQL Server customers run multiple applications and databases. Alliance Key Manager does not restrict the number of SQL Server databases that you connect to it, and there are no client-side licenses per database. You can encrypt your first database with Alliance Key Manager, and then add any number of additional databases at no charge. Alliance Key Manager does not count or limit the number of databases you protect. You can even protect other databases like MongoDB and MySQL using the same key manager. This is the way enterprise key management should work!

Cloud Independence - It’s real

Amazon Web Services provides a great number of cloud services for applications and storage. Unfortunately, most of the AWS services implement a proprietary interface. The result is cloud lock-in restricting your ability to easily move to other cloud platforms. A business opportunity, merger, acquisition and other events can be painful when you have cloud lock-in. Alliance Key Manager runs in a number of cloud and virtualized environments and will help you avoid cloud lock-in. Cloud independence is real.

Evaluations and Proof-of-Concept

At Townsend Security we know that key management is a part of your critical infrastructure. We make evaluations and Proof-of-Concept projects extremely easy. You can launch Alliance Key Manager for AWS directly from the AWS Marketplace, get access to Quick Start guides for SQL Server, and be up and running quickly. Alliance Key Manager will automatically license for a free 30-day evaluation period, and you will have access to our technical support group for assistance.

HINT: When you launch Alliance Key Manager from the AWS Marketplace, be sure to register with us. Amazon does not share your company information with us, so we won’t be able to help unless you register. Here is the link to register.

True Enterprise Key Management for SQL Server, dedicated to you, is a couple of clicks away right from the AWS Marketplace

Patrick

Encryption Key Management for AWS

Topics: Amazon Web Services (AWS), SQL Server

California Consumer Privacy Act (CCPA) and Lawsuits

Posted by Patrick Townsend on Feb 10, 2020 10:39:44 AM

Well, that did not take long.

34 days after the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, a lawsuit was filed against retailer Hanna Andersson and cloud service provider Salesforce for a data breach where sensitive information was not properly protected. Information about approximately 10,000 California customers were exposed on the dark web. The information apparently included customer names, addresses, credit card numbers, CVV codes, and card expiration dates. Everything a cybercriminal needs to execute financial fraud. What a haul!

Encryption and Key Management for VMware - Definitive GuideThe fine under the CCPA can be up to $750 per record, making the liability cost in this case about $7.5 million - and that is only a part of the picture. Litigation costs will be large and there may be fines from the California Department of Justice and from other governmental entities. Hanna Andersson is a relatively small retailer with approximately 60 stores, 400 employees and annual revenue around $140M. Losses of this size are painful.

Here is a good article about the data breach, and it has a link to the actual lawsuit:

CCPA Cited in Hanna Andersson/Salesforce Breach Lawsuit 

Let me share a few thoughts with you.

First, let’s not forget that the villains in this case are the cybercriminals who perpetrated this crime against Hanna Andersson and Salesforce, and ultimately against the individuals who will experience identity theft and financial fraud. Could Hanna Andersson and Salesforce have done more to prevent this data breach? Certainly yes. But in the early years of my IT career I worked for companies like Hanna Andersson. I worked with wonderful, amazing, dedicated IT professionals and my sympathies are with them, too. Salesforce has been a moral leader in an industry that has seemed at times to lack a moral compass and I admire the values that Marc Benioff and his company have promoted over these last few years.

But this lawsuit is a harbinger of things to come. Ignoring the new landscape of regulatory compliance is dangerous.

Here are some takeaways that I hope will be helpful:

  • We are all moving our IT infrastructure to the cloud. The financial and operational benefits are overwhelming and this migration to the cloud will not change. However, we have not properly accepted responsibility for the security of our applications and data in the cloud. Our cloud service provider, whomever it is, will not protect us. Own and embrace your security posture now, no one else will do it for you.
  • The California Consumer Privacy Act puts the onus on businesses to protect consumer sensitive data. This may not be fair, but it is now a fact of life and other states will certainly follow California’s lead. The CCPA mandates that businesses protect consumer information with encryption if they want to avoid these types of lawsuits. That’s where we are, and that is what you need to do.
  • We have fully arrived in the land of Zero Trust. All of your systems in the cloud and on-premise are at risk. If you haven’t done an inventory of your systems with sensitive data, this is the first thing to do. Knowing where sensitive data resides provides you with a map to address adding the protections that are needed.
  • Prioritize the systems based on risk. Which systems have the most sensitive data? Which are more exposed to a data breach? Which databases will be the easiest to mitigate? The prioritized list does not have to be perfect, but you need one as soon as possible.
  • Get started with your encryption projects. Some databases make this easy to do. If you have Microsoft SQL Server, MongoDB, or MySQL, you have a clear and fast path to add encryption through native database support. If you have databases or storage that do not support native encryption, consider migrating them to VMware vSAN encrypted storage for these applications. 
  • On your way to encrypting your sensitive data, don’t forget about encryption key management. One of the changes that came with CCPA is the requirement to store encryption keys away from the sensitive data. Most databases give you the option of storing the encryption key on the same server as the data. Don’t do this, you will lose all of the protections you need under CCPA.

Here at Townsend Security we help organizations large and small achieve the highest level of data protection. It won’t cost you an arm and a leg, either. The days of overpriced encryption and key management solutions are over. Talk to us about our Alliance Key Manager solution for protecting your data.

Patrick

New call-to-action

Topics: CCPA

AWS and Key Management and Pricing

Posted by Patrick Townsend on Feb 4, 2020 8:42:06 AM

Ahhhh, Amazon Web Services (AWS) are so delightfully inexpensive, aren’t they? The AWS Key Management Service (KMS) is one of those really inexpensive services that many of us love to use. For many AWS customers AWS KMS isn’t even noticeable on your bill.

Or, is it?

New call-to-actionAs we start to deploy data in the cloud we start to use more encryption keys. The first project might use one or two keys, and that cost is not even noticeable. What happens as you start to deploy more and more projects to the AWS cloud? Or, you adopt a strategy of assigning each user in your database their own key (a great strategy to deal with GDPR and CCPA)? The number of keys can start to go up quickly, and your AWS KMS cost goes up with them.

Here is something that happened to one of our customers who had a growing need for keys:

They decided to use a separate encryption key for each of their customers. The idea was to encrypt with an encryption key unique to each customer. When they needed to delete the customer data they only needed to delete the encryption key for that customer. With lots of customers they soon had thousands of encryption keys. And they were shocked when a really large Amazon bill came due for those keys. AWS charges $1.00 for each key and it adds up really fast. So some caution is in order.

Is there any way to avoid the high cost of AWS KMS for multiple keys?

Yes there is. Our Alliance Key Manager in AWS solution can be deployed right in the AWS cloud at a low monthly cost, with no charge per encryption key. Whether you need 10 encryption keys, or 100,000 encryption keys, the cost is the same. And we don’t count the number of endpoints, either. So, the cost remains the same even as you increase your data protection.

Besides a lower cost for key management, there are other benefits to deploying our key manager in AWS:

  • You have exclusive access to the key manager – unlike AWS KMS, it isn’t shared with Amazon (or us).
  • You can deploy redundant key managers (product and high availability) across different AWS geographic regions.
  • You can mirror your encryption keys from AWS to an on-premise key manager.
  • You can deploy replicating key managers across multiple clouds.
  • You have full support for encryption of databases like SQL Server, MySQL, MongoDB, and others.

When you need a lot of encryption keys in AWS, our Alliance Key Manager is a winner. We don’t charge per key, you have flexible options to deploy key management in the cloud and on premises, you will save a lot of money over AWS KMS, and you will have a dedicated Enterprise key management solution that you don’t share with anyone. You will be deploying a true cloud neutral key management solution.

Talk to us to find out more details about the benefits of deploying Alliance Key Manager for AWS for your organization.

Patrick

Encryption Key Management for AWS

Topics: Amazon Web Services (AWS)

Blog-CTA-VMware-CSP
 
The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 
 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all