+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Patrick Townsend

Recent Posts

IT's OFFICIAL - ENCRYPTION FOR RANSOMWARE PROTECTION

Posted by Patrick Townsend on Jun 15, 2021 3:22:26 PM

If you’ve been following this blog recently you know that I’ve been advocating for the use of encryption to help prevent ransomware attacks. Ransomware attackers have been adapting to the new reality that a lot of companies have deployed good backup strategies to recover their files. Without that leverage the attackers can’t extort payments for recovery of your systems.

So, what are they doing now? They are exfiltrating your sensitive data and using that as additional leverage. 

Encryption Strategies for VMware EnvironmentsOh, you have backups and you don’t want to pay? OK, we took your sensitive data and we are going to publish it. Do you have secret intellectual property or business plans? Do you have sensitive medical information on your patients? Do you have sensitive information about children in your care? 

Under this kind of pressure many ransomware victims decide to pay the ransom. 

That’s why it is important to encrypt your data before a ransomware attack. If the attacker can’t read your data because it is encrypted they can’t threaten to release it.

It has been frustrating to me that most security recommendations on how to protect yourself from a ransomware attack omit the step of encrypting your data first.

But that has now changed! And it is long overdue.

Here is what President Biden’s new executive order recommends (emphasis added):

What we urge you to do now:

Implement the five best practices from the President’s Executive Order:President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack. 

And  more ...

And this:

For Federal Agencies:

Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.

Encryption is not the only thing you need to do, but it is a critical part of a ransomware protection strategy. It is heartening to see this being recognized.

There is some good news: Encryption is fast, easy and affordable. If you are a small or midsize organization you will be glad to know that there is an affordable solution for your encryption strategy. Encryption and encryption key management are no longer the headaches they once were. You or your IT Support organization can address your encryption needs in a rapid manner. 

If you are an IT Support Provider or Managed Service Provider trying to help your customers with security, you are going to love our MSP Partner program. Affordable key management for VMware and the cloud, usage-based billing, and no upfront fees. You will be profitable from the first customer. More information here: 

https://townsendsecurity.com/msp

Ransomware attacks can be devastating to an organization, but you have tools to protect yourself. Give us a call.

Patrick

References:

https://image.connect.hhs.gov/lib/fe3915707564047b761078/m/1/8eeab615-15a3-4bc8-8054-81bc23a181a4.pdf

https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/

Encryption & Key Management for VMware Cloud Providers

Topics: Alliance Key Manager, Encryption, Encryption Key Management, VMware, Ransomware, MSP

Colonial Pipeline, ransomware and encryption – what to do right now

Posted by Patrick Townsend on Jun 8, 2021 11:21:40 AM

The Colonial Pipeline ransomware attack and resulting crisis that affected millions of people was shocking because of its scale and impact. Shocking, but it was not surprising. We have been watching an increase in the number of ransomware attacks over the last few months. No organization, large or small, has been immune from the attacks. Hospitals, schools, local governments, national agencies – even police departments and courts – have suffered from debilitating ransomware infections. Colonial Pipeline was the first publicly known attack on critical energy infrastructure, but it won’t be the last.

Most modern ransomware attacks have two components:

  • Encryption of your systems to deny you operational access, and
  • Theft of unencrypted sensitive data.

The attackers encrypt your data with a secret key and then promise to restore it when you pay the ransom. This is the well-known part of a ransomware attack. You typically must pay the ransom to a secret Bitcoin account controlled by the attackers. After payment, if you are lucky, the attackers will give you the secret key to unlock your data.

Case Study: Concensus TechnologiesThere is another, less well-known aspect of ransomware attacks. And that is that the attackers often steal sensitive data before they encrypt it. Why do they do this? Well, if you are able to restore your systems without paying the ransom, they can then use the threat of releasing that data to extort the payment from you. And it is very effective. More on protecting yourself from this aspect of ransomware below.

There is good guidance from security groups and governmental agencies on how to protect yourself from a ransomware attack. Having good backups that are not connected to the network is an important part of that guidance. You should also deploy other security measures like active monitoring for anomalous behavior, appropriate segmentation of users, proper network controls, and so forth. And, never forget that training users in good security hygiene is absolutely essential.

I think a number of organizations have gotten reasonably good at this part of ransomware protection. There are still big gaps, of course. And smaller to midsize organizations are lagging in the deployment of these basic protections. But what to do is no longer the question. Getting it done and doing it right is the challenge.

But what about the second part of the ransomware attack? What happens when the attackers steal your unencrypted sensitive data?

We have to give credit where it is due. Cybercriminals who deploy ransomware are very good at what they do. They’ve learned to adapt to a changing landscape. As you got better at doing backups and recovering your data in a timely fashion, they added another technique to extort a payment – They are taking your very sensitive data. If you refuse to pay the ransom they threaten to release the data. To prove their point they will often release a very small amount of your data.

Imagine your shock when you see highly sensitive medical information showing up on the attacker websites. Or sensitive information about students, or sensitive court records. Suddenly the urgency is much greater, and many pay the ransom when this happens.

Having a good backup is not going to help you now. So, what can you do? It is time to add another tool to your defenses – encryption of your own sensitive data.

You should encrypt your sensitive data to deprive the attackers of access to it. If the attacker steals your data in an encrypted state, it is not usable. Encryption is the security control that you need to add to your ransomware strategy. I know, you’ve been putting implementing this important security control. But the stakes are higher now. If Sony or Equifax had encrypted their data, we would not still be talking about the massive loss of data and the disruption they experienced.

Here are some basics to keep in mind as you deploy encryption:

  • Create a map of your sensitive data, and a plan. You should encrypt the most sensitive data first.
  • Encryption key management is critical to your security. Use a professional key management system to store keys away from the data. Never store encryption keys on the same server that hosts the data.
  • Restrict access to the databases with sensitive data. Only those people in your organization who have a need to access sensitive data should be able to do so. Your DBA will know how to do this.
  • Monitor user access to your sensitive data and take immediate action for unautorized access. Use a professional SIEM solution to do this.
  • Monitor access to your encryption key management solution. Your KMS is a critical part of your encryption strategy.
  • Take advantage of database and storage vendor support for encryption and key management. Using VMware for your infrastructure? Implement encryption of VMs and vSAN. Using Microsoft SQL Server? Implement Transparent Data Encryption with an external KMS for the keys. It is fast and easy, and supported by the database vendor.

There are a lot of reasons why organizations are lagging in terms of encrypting their sensitive data. Fears about performance, fears about lost encryption keys, fears about the cost of key management systems, and so forth. All of these challenges have been overcome in recent years. Put your fears aside and protect your data.

Here is a hint:

Don’t let the PERFECT be the enemy of the GOOD. For example, you don’t have to encrypt everything at one time. Tackle the most sensitive data first, and tackle the easy projects first in order to build experience. Then tackle the remaining projects as quickly as you can. Also, don’t be afraid to deploy key management solutions from different vendors. KMS systems are so easy to manage now that having more than one system rarely increases administrative costs. Find the best, most cost effective KMS solution for your database and use it!

Encryption is your friend when you control it. It can provide protection from cybercriminals who attempt to steal your data in order to extort a payment. You can get encryption done quickly and at a reasonable cost. You don’t have to pay exorbitant licensing fees for a good key management system. If you have cost concerns, give us a call.

If you are a managed service provider trying to help protect your customers, you might like to know about our MSP Partner program. Give us a shout to learn more.

Patrick

Download Alliance Key Manager

Topics: Encryption, Key Management, Defense-in-Depth, Security News, Ransomware

MSPs and Encryption - How to Talk to Your Customers

Posted by Patrick Townsend on May 6, 2021 9:36:39 AM

Managed Service Providers have a real challenge when they try to talk to their customers about the benefits of encrypting their sensitive data. If your experience is like mine, pretty soon their eyes glaze over and they are wanting to change the subject. I get that - encryption is a subject that only nerds can love. But we also know how important encryption is. So how do we convey that?

VMware Cloud Providers & MSPs - Win New BusinessOne of our MSP partners shared this bit of wisdom:

“Ask them if they carry cyber insurance”.

“Why?” I asked, more than a little confused about how this related to encryption.

“Have you read your policy?” she asked. “Take a look at the section on encryption.” And then she shared a short form application for cyber insurance from a large carrier.

Wow! I’ve had my head in the technical weeds of encryption and compliance for too long. Here is an extract from a short form insurance application:

Indicate whether the Applicant encrypts private or sensitive data:

  1. While at rest in the Applicant’s database or on the Applicant’s network __Yes __No
  2. While in transit in electronic form __Yes __No
  3. While on mobile devices __Yes __No
  4. While on employee owned devices __Yes __No
  5. While in the care, custody, and control of a third party service provider __Yes __No

I am guessing that many organizations just answer “Yes” to all of these questions without thinking about it. As my MSP partner pointed out, if you respond incorrectly on an insurance application you negate any benefits you might receive. Are they covered in the event of a data breach or ransomware attack? Maybe not. That can be a shocker to the end customer.

Rather than talk about encryption in an abstract way, this MSP talks about their cyber insurance policy and what they need to do to ensure coverage. She said that this is the most effective method she has ever used to get agreement from a customer to implement encryption of their data at rest. She’s never had someone decline to implement this important security control once they realize what is at stake.

My takeaway is this:  not everyone is as excited or interested in encryption as I am. But everyone knows how important it is to have insurance coverage. MSPs know that encryption is a core part of a defense against cyber attacks including ransomware. Modern ransomware attacks include encrypting your data to deny you access, as well as stealing your data and holding you hostage with the threat of making it public. You might have a good backup plan to recover your data, but you can’t defend yourself from the threat of public release if the hacker has your unencrypted data. If the attacker can’t read your data because you encrypted it, they can’t release it to the public.

I hope this practical example helps you talk with your customers about the importance of encryption.

How are we at Townsend Security helping MSPs get the job done?

Our MSP partner program helps MSPs protect VMware infrastructure by providing our key management solution, Alliance Key Manager, on a low cost, monthly usage basis. You can encrypt VMs, vSAN and deploy vTPM easily. Imagine offering encryption to your end customers and not incurring any upfront costs or annual minimum payments for the KMS. Imagine turning encryption into a profit center for your benefit and for your customer’s benefit. Imagine offering encryption to even your smallest customers and knowing that they can afford it!  And, imagine doing this for your hosting platform, for the cloud, and for your customer’s on-premise infrastructure.

Imagine the relief of your customers after a data breach when they learn that cyber criminals did not steal unencrypted data!

Our MSP partners are doing this every day.

If you are a Managed Service Provider and want to know more about our partner program, you can learn more here.

If you are an MSP I hope you will take advantage of our MSP partner program. Talk to us to find out more.

Patrick

Encryption Key Management for VMware Cloud Providers

Topics: Data Security, Encryption, MSP

Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program [Part 8 of 8]

Posted by Patrick Townsend on Nov 11, 2020 11:25:00 AM

Can I also resell Alliance Key Manager?

VMware Cloud Providers & MSPs - Win New BusinessYes, you can operate as an MSP and also as a reseller partner for those customers who are not using your MSP services. Reselling Alliance Key Manager is governed by a different agreement. Contact us if you have a resale opportunity.

I need to have our legal team review your MSP agreements. How is this done?

Just contact us. We will send you a copy of the MSP license agreement for legal review. 

We would like to use a copy of the key manager for training and customer demos. How is this done?

We will gladly support your internal training and demo needs. We do this through special Not For Resale (NFR) licenses. All MSP and Reseller partners qualify for NFR licenses for our key manager. There is no charge for NFR licenses.

How do you handle special bids?

While we believe that the MSP program provides you with a lot of flexibility, we understand that special bids are sometimes needed. Contact us to discuss the special bid requirements. We work with our partners around special bids on a frequent basis.

Are volume discounts available?

Yes, if you have a very large number of VMs to encrypt and would like to pay in advance for those we have a discount program available. 

How can I get started?

This web page has information about our MSP partner program and a form to get started. Complete the form and we will get in touch with you:

https://townsendsecurity.com/msp

You can also contact us by email and phone:

Email: sales@townsendsecurity.com
Phone: (360) 359-4400
International: +1 360 359 4400

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

How Can an MSP Use Encryption Security to Improve Revenues and Profitability? [Part 7 of 8]

Posted by Patrick Townsend on Nov 9, 2020 11:19:00 AM

Almost everyone considers encryption a sunk cost. You almost never see any type of Return On Investment (ROI) calculation when it comes to Key Management Server (KMS) systems. Acquiring a KMS system usually falls into the Capital Expense financial category when it comes to budgeting.

Let me change your thinking about KMS systems!

VMware Cloud Providers & MSPs: Winning New Business with Encryption and Key Management WebinarHere is a simple financial calculation based on a fictional MSP business. Let’s assume that as an MSP you charge your end customer $50 per month per managed VM. If you are managing 50 VMs for your customer your gross revenue for that customer is $2,500 per month.

However, you have costs, too. Hardware, VMware licenses, IT experts, administrative costs, etc. Let’s just guess that this might add up to $1,250 per month, or half of the gross revenue. Your margin after direct costs might be $1,250. 

This example is probably extremely generous in terms of your gross margin. I suspect that your costs are probably higher and margins much lower. But let’s run with this example where gross margins are 50% of revenue.

Imagine that you become a Townsend Security MSP Partner and pay $5 per month per encrypted VM on a usage basis. You charge your customer $8 per month per encrypted VM netting $3 per month gross revenue per encrypted VM. The direct costs are very minimal. Your hardware and infrastructure costs are minimal. There are no minimum KMS license fees. There are no extra charges as you expand your use of the KMS. And very minimal IT Expert costs due to the encryption and KMS automation provided by VMware.

You probably just gained an additional $150 in gross margin from this customer. 

That represents a whopping 12% increase in overall gross margin! It is not often that adding one simple service to your business offering can net that much gross margin gain.

This is, of course, a very simplified example. However, I believe that many of our MSP partners are recognizing larger gains as they add VMware encryption to their set of offerings. One MSP partner told me that it is a “no-brainer” for the customer to sign up for the small additional cost per VM for encryption due to its low cost. You can have that experience, too.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Delivering Secure VMware Hosting with Encryption and Key Management

Topics: VMware, MSP

As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs? [Part 6 of 8]

Posted by Patrick Townsend on Nov 4, 2020 11:12:00 AM

Business continuity and resilience is at the heart of the value proposition MSPs provide to their customers. That means that the key management server (KMS) system at the center of VMware encryption must be able to provide real time recovery along with your service strategy. There are several components to a good high availability (HA) strategy, and these vary from one KMS solution to another. Here is how our Alliance Key Manager integrates with VMware to achieve high availability:

KMS Real Time Mirroring

Encryption & Key Management for VMware Cloud ProvidersAlliance Key Manager implements real-time, active-active key mirroring between a production and one or more high availability key servers. When VMware creates a new key on the KMS for an encrypted VM, that key is immediately mirrored by Alliance Key Manager to a high availability key server. Mirroring is done in real time so that you always have a KMS ready to take over. All transmission of encryption keys is performed over a TLS encrypted connection with mutual authentication, and you have the option to deploy a failover key server in a different vCenter environment.

vSphere KMS Cluster Configuration and Automatic KMS Failover

The purpose of the vSphere module called KMS Cluster is to define your key managers to VMware and to establish trust between vSphere and the key server. A KMS cluster is a list of key servers along with connection and credential information. Normally you would define two key servers in a KMS Cluster – one key server for production use and one key server for failover use. By default, the first entry in the KMS Cluster is the production key server, and failover key servers follow in the order that vSphere will use them. vSphere automatically connects to a failover key server in the event it cannot communicate with the production key server.

You are not limited to one KMS Cluster configuration. If you want to deploy a dedicated key manager for a particular customer you can create a new KMS Cluster configuration and define the dedicated key servers in this new configuration.

KMS Backup, Scheduled and On Demand

It is always a good idea to have a backup of your critical applications. Alliance Key Manager lets you define a schedule for automatic, secure backups. The backup server, usually a Linux instance running sFTP, can be located offsite.

Of course, you can always perform a manual backup on demand. This manual backup can go to a local directory on the key server and be downloaded by the administrator for secure offsite storage.

MSP Backup

Most MSPs offer a backup service to their end customers. Since Alliance Key Manager is a normal VMware virtual machine you can use your current backup strategy to back up the key server, too.

Disaster Recovery as a Service (DRaaS)

If you offer your customers a DRaaS service you can also offer them key management through the Townsend Security MSP partner program. You can deploy a key manager on the customer’s premises and mirror keys to your DRaaS service at your hosting site. 

VMware Monitoring

Lastly, we can’t forget that VMware offers a rich set of tools to monitor the health of VMs. You can use those tools to monitor the health of Alliance Key Manager, too. Your MSP license agreement allows you to install VMware Tools on the key manager server. 

In summary there are a number of layers of high availability built into the deployment of Alliance Key Manager. This will give you and your end customer a high level of confidence in the resilience of your encryption offering.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption & Key Management for VMware Cloud Providers

Topics: VMware, MSP

Key Management Server (KMS) for Multiple vCenter Clusters and Nodes [Part 5 of 8]

Posted by Patrick Townsend on Nov 2, 2020 11:04:00 AM

We often get questions from MSPs about deploying our Alliance Key Manager solution across multiple vCenter nodes. Here is some good news for our MSP partners:

Multiple MSP Hosting or Cloud Locations

VMware Cloud Providers & MSPs - Win New BusinessMany MSPs operate multiple regional hosting centers. Even small MSPs will typically have two locations in order to support high availability and backup. Each physical location will have one or more vCenter servers. Multiple vCenter clusters are not uncommon at a single data center location. Global MSPs often have to work within a country’s data sovereignty laws. This means a data center in each designated country. This increases the number of key management servers (KMSs) that must be deployed.

Production and High availability Key Servers

Under the Townsend Security MSP partner program, there are no licensing restrictions and you can run as many KMS servers as you wish. This typically means running two key servers in each vCenter environment – one for production and one for high availability (HA) failover. Since the MSP partner program involves a usage based cost model, you can deploy as many KMS servers as you need. You only pay for the encrypted VMs and vSAN directories regardless of physical location and number of key servers.

Customer Dedicated Key Servers

You may find the occasional customer who doesn’t want to share a key server with other customers. VMware makes this easy to accomplish. You can just create a new KMS Cluster definition and add the new production and failover key servers to this configuration. The start encryption of VMs and vSAN for that end customer using this new KMS Cluster configuration. Voila! Since there is no licensing cost for deploying key servers this is a cost effective way of meeting this customer requirement. You just report this customer’s encrypted VMs and vSAN directories during normal monthly reporting.

On-premise to Hosted or Cloud vCenter Nodes

If you are managing an end customer’s on-premise IT infrastructure, you can also deploy Alliance Key Manager on-premise and mirror to a hosted or cloud vCenter node. This is especially helpful to MSPs who are providing Disaster Recover as a Service (DRaas). The production environment can be in the end customer’s data center and you can mirror encryption keys to an Alliance Key Manager failover key server in your own environment. This helps achieve seamless failover for your customer.

Customer Dedicated vCenter Nodes

It is also not uncommon for an MSP to dedicate a vCenter server to a specific customer. That customer may have heightened security concerns, or may not want to share infrastructure with other customers. There may be corporate governance and security restrictions that require this. Again, MSPs only pay for the number of encrypted VMs and vSAN directories, regardless of the number of vCenter clusters and how they are used, and regardless of physical location.

In summary, we provide our MSP partners with all of the flexibility they need to support current customers and attract new customers. VMware encryption is a core security control that your customers demand, and you now have the tools to meet the need.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

How Does Townsend Security Help an MSP Overcome the KMS Challenge? [Part 4 of 8]

Posted by Patrick Townsend on Oct 28, 2020 9:12:00 AM

In this blog series we’ve put the focus on the MSP’s challenges. Now let’s talk about how we at Townsend Security are helping meet those challenges.

Two years ago Townsend Security treated its MSP customers the way most legacy KMS vendors do. That is, we were a part of the problem. Thanks to the coaching and mentoring of some MSP leaders, we came to understand the need for a new approach, and we launched our MSP partner program. 

Key elements of our MSP partner program:

VMware Cloud Providers & MSPs - Win New BusinessMSPs need confidence in the key management solutions they deploy. Townsend Security has been providing their Alliance Key Manager solution for VMWare for more than 10 years. Alliance Key Manager is certified by VMware for every release of vSphere and vSAN that support encryption, it is FIPS 140-2 compliant, and it is validated to PCI-DSS compliance.

The Townsend Security MSP partner program provides their key management server (KMS) to the MSP with no upfront license fees and no annual minimums. In fact, there is no perpetual or subscription license agreement at all, just a simple end user license agreement tailored for the MSP. The MSP gets training from Townsend Security and deploys the KMS into production. The cost of the solution is based on a low monthly charge per encrypted VM and vSAN directory. Just pay for what you use and nothing else. You can scale up and down your use of the KMS as needed. 

How many KMS servers can you deploy? As many as you want. You can share a KMS server across multiple customers, or deploy a dedicated KMS for a customer. You can deploy the KMS in your hosted environment, in the cloud (AWS, Azure, Google, IBM, etc.), and on the customer’s premises. No license or cost per KMS server, no restriction on the number of keys, no restriction on the number of encrypted VMs

Each month you will report the number of encrypted VMs and encrypted vSAN directories you are managing. Payment is also simple and is made electronically through ACH bank transfer, wire transfer, or credit card. 

Townsend security provides full 24/7 technical support for business interruption issues. There is no extra charge for software maintenance and support. 

It is not just all about technology. We also help you with marketing content, joint webinars, joint podcasts and security reviews. We understand that the typical MSP has a lot on their plate and does not need to spend time on deep security questions. We’ll help answer those tough customer questions about encryption and key management. 

We are committed to helping you be successful. We align with your business, service and revenue models. We will train your team. We will support your technical team. And we will help you with marketing support. Our goal is to lean in and help, and take risks with you. We want to be the KMS partner you’ve always wanted.

MSPs have told me that the current COVID crisis is impacting their business and revenue streams. They are losing some customers and revenue but are seeing increased demand from existing customers. Everyone seems to need more help from the experts. It’s a tough time for MSPs. Now is the time to migrate your existing KMS deployment to Alliance Key Manager and gain predictability and scalability in your KMS costs. It’s easy to do.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

What are the Biggest Obstacles to Offering VMware Encryption to Customers? [Part 3 of 8]

Posted by Patrick Townsend on Oct 26, 2020 12:55:00 PM

MSPs fine tune their services to satisfy customers. You are the experts in configuring, deploying, monitoring and protecting the customer’s sensitive applications and digital assets. The services you offer are crucial to organizations large and small.

So why don’t MSPs lead by offering VMware encryption?

It often boils down to the Key Management Server (KMS).

VMware Cloud Providers & MSPs - Win New BusinessKMS vendors by and large are stuck on old and costly licensing models. It is not uncommon to find legacy KMS vendors charging in excess of $200,000 for an initial deployment in an MSP’s infrastructure. On top of that there are often additional charges as you do more encryption, and annual maintenance and support fees. This represents a major upfront investment by the MSP with no guarantee of realizing a positive return on that investment. This KMS pricing and licensing model almost assuredly locks out a small to midsize MSP.

Then there is the complexity of most KMS systems. The MSP may have to invest a lot of time and resources in learning how to configure, deploy, and maintain the KMS. An MSP needs technology to be simple. Why? The complexity of end customer systems means that the average MSP has to know dozens or even hundreds of hardware and software application systems well. When you factor in PC, Server, Web, and Remote support, the MSP is responsible for a massive knowledge base and trained internal staff. A complex KMS system is just sand in the gears and another headache. It should be better, and it can be better. 

KMS deployments can also be complex and not match the MSP business model. It is not uncommon for MSPs to charge their end customers a monthly fee based on the number of VMs and vSAN directories under management. When a KMS system requires handholding for each end customer, and uses a legacy pricing model with annual minimum payments and commitments, it becomes a nightmare for the MSP to realize a gain on encryption.

For all of these reasons many MSPs avoid encryption. It is understandable. Here is what one MSP told me before they learned how we approach the KMS need:

“You said the magic words of MSP and Low cost, consumption based! We’ve struggled to find a KMS solution we can properly price and sell to our customers to do VM encryption. Solutions like XXXXXX are prohibitively expensive. Your low cost per encrypted VM per month is very reasonable. I’m glad those MSP’s helped you understand our market and that you were able to see the opportunity. You NEED to be marketing this. You’re solving a problem that MSP’s a) don’t think they can afford to fix, and b) are just ignoring the compliance of because it’s “too hard and too expensive.” I highly encourage you to get the word out through marketing to MSP’s. Thank you, Patrick. You made my day.”

Sound familiar?

In the next blog I will describe how we are solving the KMS headache for MSPs. Not only can we make life easier, encryption can be a profit center for you without tipping over your business or putting you at a competitive disadvantage.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

What Has VMware Done to Help with Encryption Security? [Part 2 of 8]

Posted by Patrick Townsend on Oct 21, 2020 12:15:00 PM

VMware has been very sensitive to the security needs of its Enterprise customers. They know that VMware infrastructure and applications are critical to an organization’s overall security. Network segmentation, access controls, monitoring and many other VMware applications help the MSP protect their customer’s applications and data. When it comes to encryption of sensitive data, VMware has your back, too!

VMware Cloud Providers & MSPs - Win New BusinessEncryption of VMs was introduced with vSphere 6.5. With this version you could easily select VMs that you want to be encrypted, and quickly and easily start encryption. The MSP VMware administrator can easily see which VMs are encrypted and which were not. Of course, the architecture fit right into the normal VMware architecture. vCenter, vSphere, ESXi all come into play during the implementation and maintenance of the encrypted state of the VMs. A real bonus is that the performance of encrypted VMs is stellar. MSPs rarely need to add additional resources to implement encryption of VMs.

Encryption of vSAN was introduced in vSAN 6.6. The implementation of encryption support is quite different than encryption of VMs, but the encryption key management interface is exactly the same (more on that below). vSAN encryption has been a boon to MSPs. Typically the MSP has relied on storage hardware encryption which often is less expensive, but harder to manage. And encryption key management is generally weak in hardware solutions. Using vSAN lets the MSP integrate the rich set of VMware applications and security. With vSAN encryption you get a flexible place to store commercial and open source databases, big data repositories, and much more. All encrypted efficiently by VMware.

Some MSP customers want to implement TPM to protect their application OS images. Hardware based TPM has many disadvantages in a VMware environment. However, VMware now supports virtual TPM (vTPM) which is much more flexible and resilient in VMware infrastructure. And the good news is that vTPM handles key management in the same was as vSphere encryption of VMs and vSAN encryption of directories. A big plus!

With all of this great support for encryption, how do we properly manage encryption keys? This is a core requirement of compliance regulations and security best practices. VMware handles this well. The key management configuration is provided by the vSphere KMS Cluster configuration. With KMS Cluster configuration you can configure your key management interfaces one time and all of the VMware encryption applications use this definition. And more good news – the interface to key management systems is based on the open OASIS Key Management Interoperability Protocol (KMIP). This means that you have a lot of flexibility and choice in your acquisition and deployment of a KMS for your encryption deployment. (We will talk more about our Alliance Key Manager solution in a following blog).

Key management systems are inherently complex, and the KMIP protocol is also complex. As an MSP you don’t have to deal with this complexity, VMware handles all of the technical implementation. To help VMware customers and partners understand which KMS systems work well with VMware, they make available a certification program for KMS vendors. A KMS vendor who implements the KMIP standard (we are one) can certify their solution for use with VMware. This really sets VMware apart from many infrastructure platform providers. They have made the certification process easy for KMS vendors and publish the results. This means the MSP has an easy way to determine if a key management system is compatible and reliable.

All VMware releases that support encryption also support encryption key management in the same way. This consistency from one release to the next means no disruption to the MSP operating environment after an upgrade, and assurance of the MSP investment in internal training and KMS investments.

Version 7 of VMware now supports a new encryption security interface called Trusted Authority, or vTA. The previous encryption interfaces are still fully supported, but now you have a new option for encryption and key management. vTA offers slightly different architecture and a higher level of security that some organizations need.

All of these features that VMware has implemented make it easy for the MSP to provide encryption support to end customers. In the next blog we will talk about the challenges MSPs face and how to overcome them.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

Blog-CTA-VMware-CSP
 
The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 
 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all