Townsend Security Data Privacy Blog

December 17, 2021

The Log4Shell (Log4j) vulnerability represents a potentially severe security threat to all companies who deploy internal or third-party applications that use the Java Log4j logging facility. The relevant security notice is CVE-2021-44228. Our customers and partners have inquired if Alliance Key Manager is subject to this new vulnerability.

Link to the CVE:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

After technical review and external application scanning (Nessus) we can report that Alliance Key Manager is not subject to this vulnerability. This applies to all platforms where Alliance Key Manager can be deployed including VMware, Microsoft Azure, Amazon AWS, and the Townsend Security HSM. The primary key management interface to Alliance Key Manager is a secure TLS interface that is implemented on the server side via ANSI C application code for both traditional and KMIP operations. All inputs are validated before processing. No use is made of Java for logging functions. The user, administrative, encryption and mirroring functions of key management interfaces are logged using native ANSI C functions. Some server management functions use logging via the Python language. 

Currently supported versions of Alliance Key Manager are 4.6 and newer including 5.x. If you are running an earlier version of Alliance Key Manager you are not subject to the Log4Shell vulnerability, but you should contact Townsend Security support to upgrade as soon as possible.

If customers and partners have any questions about this vulnerability then can contact Townsend Security through normal problem ticketing options. Others may send email to info@townsendsecurity.com.

Townsend Security

Whilst the pandemic has caused untold stress for many around the planet, some businesses and industries have thrived from people experiencing a more sedentary lifestyle. The boom in online shopping and particularly online gaming has been phenomenal. However, with that growth has also brought another concerning issue of its own.

With more people inputting their data across the web, and companies relying on modern technologies, it has given hackers more scope to aim their sights at unsuspecting victims.

Earlier this year it was estimated by Homeland Security Secretary, Alejandro Mayorkas, that $350 million was handed out to just some of the hackers who engage in ransomware schemes. With Colonial Pipeline CEO, Joseph Blount, admitting that they paid out $11 million following an attack which saw their Eastern Seaboard gasoline supply shut down. This was all down to not having a multifactor authentication login system. It shows how easy it can be. It’s exactly why modern, digitally based businesses, should be very mindful of the impact that having a lax attitude to security can have.

Growth of online gaming

With the online gaming industry being valued at almost $174 billion in 2020, it’s easy to see why this is one area where criminals are looking to get a foot in the door. The industry is an ever-evolving animal, with some journalists suggesting that online video gaming is the new social media. This extra social interaction, could be said to lower inhibition and present more opportunities for exploitation. It is not only about losing money, if data is exploited then accounts can easily be ‘taken over’. Account takeovers are not uncommon. This results in players losing access to games and potentially more, due to unintentionally giving away their account details.

This is something, which if not taken seriously, will also affect the online casino industry. Although CNBC have reported this is an area which is already being targeted by cyber criminals more than ever before.

With the potential prizes on offer, and the subsequent amounts held and deposited by players, the criminals are waiting to pounce. At the time of writing, the slot games on Gala Bingo, for example, are openly advertising jackpots of $96,000 and $22,000. So, at any point players could have those large amounts and more in their account. Then if you consider hacking attempts on the gaming industry have already risen by 261% during the second quarter of 2021. That’s in comparison to the same time last year. So, almost in parallel with the growth of the industry, the hackers are looking to exploit players new and old.

What are companies doing to stop these attacks?

In the online casino industry, some companies have moved to using cryptocurrency as a means of tightening security. The blockchain technology affords its owners added safety, by design it’s almost impervious to the risk of data substitution and corruption. Utilizing blocks of transactions stored in chronological order, it becomes near impossible for this chain to be interrupted. One change would break the chain, therefore rendering the 'currency' valueless.

Adding another layer of added security is, two-factor authentication. This is something which is certainly becoming more prevalent in both video and casino gaming. This is where users will need two forms of ID to login to their accounts. Typically this will include not only your password to your account, but then a code would be sent via a cellphone application like Google Authenticator or Authy, an email or sometimes via text message to a cellphone. This code needs to be inputted within a certain time period to access your account. Now, unless you’ve lost your cellphone too, it makes it much harder for people to access the account.

Lastly, it is important to encrypt sensitive data at rest. If other protections fail and hackers are able to steal the data, they won’t be able to use it to threaten its release and extort payments from you. In this case encryption is your friend! We don’t hear much about data breaches where encrypted data is stolen for good reason. If hackers don’t have the encryption key, they can’t use the data against you.

Companies are certainly doing what they can to help stave off the threat of cybercrime to themselves and their customers. However, there's still a long way to go. But as you can see with the amount of growth in the industry, it's clear why gaming sites should continue to prioritize data and digital security.

If you need any help or information, we have all the resources to assist you and your business here at Townsend Security.

Patrick

I’ve been reading the 2021 MSP Threat Report from Perch (a ConnectWise company). It has a great review of the evolving threats to MSPs and their customers from ransomware attackers this last year. What I like about this report that it puts a number of relevant factors into perspective. Why are MSPs a target? What do the attacks look like? Who are some of the groups that are behind these attacks? What do they want (doh)? How are MSPs responding, and how effective are these responses? And, of course, what should MSPs be doing to counter the ransomware threats.

You can find the report here:

https://www.connectwise.com/resources/ebook-2021-msp-threat-report

Here are a few of the take-aways that I found interesting:

MSPs represent a valuable target. Why is that? Well, it turns out that MSPs are the gateway to a lot of end customers. They call this the “Buffalo Jump”. If an attacker can compromise an MSP they can get downstream access to all of the MSP’s customers. Based on some industry averages Perch estimates that an MSP an its customers represent a $2 BILLION opportunity. Yeah, that’s Billion with a “B”. The attacker expects to collect a ransom payment from the MSP and from each of the MSP’s end customers. The financial incentives to attack and MSP are huge.

As we know from recent experience the MSPs who have been attacked were surprised by the event. In many cases the MSP systems were not compromised, but the software they used to manage their business became the path to the compromise. A so-called “supply chain” attack. However, the supply chain attack does not cover all of the MSPs who encountered problems – many experienced routine phishing attacks and credential compromises. But the multiplier effects of the supply chain attacks stretched the resources of many MSPs.

The characteristics of a ransomware attack are pretty well known now. The common sequence of events of a ransomware attack are:

• Infiltration – access to the MSP and their end customer.
• Planting malware on breached systems.
• Exfiltration – steal copies of the data to the attacker’s server
• Poisonous Encryption – deny you access to your data and systems using a secret key.
• Extort the ransom – usually through cryptocurrency payments.
• Release of the hostage – decryption of your hostage data (if you are lucky).

While theft of data is common in traditional data breaches, the Exfiltration step is relatively new in ransomware attacks, and this is where many ransomware defenses fail. The MSP and the end customer may be able to restore systems from backups, but that won’t stop the extortion attempt. The ransomware attacker now has your sensitive data and threatens to release publicly it if the ransom payment is not made. The release of sensitive information can be devastating to MSPs and to their end customers. The threat is real and substantial. You need a backup and restore strategy, but it won’t protect you from the threat of the release of sensitive data.

What can you do?

The Perch Threat Report does not discuss this, but you do have tools to protect against Exfiltration. You have the ability to encrypt your data before the attacker with your own secret key. And that is what I call “Defensive Encryption”. You must encrypt your sensitive data first. The attacker can’t use the Exfiltrated data against you if they can’t read it. This is where encryption becomes you friend. Defensive Encryption renders Exfiltration useless by denying the attacker the ability to extort the MSP and the end customer. You still have to restore from backup, but you are in a much stronger position to defeat the extortion attempt.

There is a lot to like about the 2021 Perch Threat Report. It is concise but at the same time covers a lot of ground. I think this is an excellent report to share with upper management in your company. If you are an MSP you can share this with your end customers to help get them motivated.

MSP Note:

If you want to move forward with Defensive Encryption we have a solution you are going to love. Proper encryption key management is crucial to an encryption defense, but MSPs can be put off by the cost of key management systems. We’ve solved that problem. More here:

https://info.townsendsecurity.com/msp

Patrick

Ransomware criminals have been going after Hospitals, Clinics, Radiologists, Physician practices and all manner of organizations in the medical sector. These are “Covered Entities” in HIPAA compliance lingo. In response to the Ransomware threat the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) made this strong statement this last week:

“OCR is sharing the following alerts from the White House and Cybersecurity and Infrastructure Security Agency (CISA).  Organizations are encouraged to review the information below and take appropriate action.

White House Memo: What We Urge You To Do To Protect Against The Threat of Ransomware

Anne Neuberger the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology has released a memo titled “What We Urge You To Do To Protect Against The Threat of Ransomware.”  

Here is the link in full:

https://www.whitehouse.gov/wp-content/uploads/2021/06/Memo-What-We-Urge-You-To-Do-To-Protect-Against-The-Threat-of-Ransomware.pdf

In addition to the White House guidance, HHS/OCR provides this fact sheet and guidance:

https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

These are short documents that are non-technical in nature and provide clear guidance for any Covered Entity under HIPAA data security requirements. If you have management responsibility in any healthcare organization, these are probably the most important things you can read right now. If you are an IT or security professional in a healthcare organization, use this information to inform and motivate your management team. 

Here are few quick takeaways with a focus on encryption and avoiding breach notification:

• Encrypt your patient information (ePHI) wherever it resides (servers, laptops, mobile phones, etc.). Here is what HHS/OCR says:

“If the electronic PHI (ePHI) is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer “unsecured PHI,” then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.”

Interpretation: Encryption is your “Get Out of Jail Free” card. If you do it right.

• Full Disk Encryption (FDE) is not enough:

“If full disk encryption is the only encryption solution in use to protect the PHI and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted with the same access levels granted to the user.

Because the file containing the PHI was decrypted and thus “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed. Under the HIPAA Breach Notification Rule, notification in accordance with 45 CFR 164.404 is required unless the entity can demonstrate a low probability of compromise of the PHI based on the four factor risk assessment (see 45 C.F.R. 164.402(2)).”

Full disk encryption is pretty easy to deploy. However, it just does not provide enough security. Use database or application layer encryption that provides more granular control over the decryption of ePHI. Self-Encrypting Drives (SEDs) and full disk encryption will not pass muster.

• Encryption Key Management is essential

You’ve heard this expression:

“A chain is only as strong as its weakest link.”

In an encryption strategy the weakest link is usually encryption key management. The encryption key is the secret you need to protect. Storing the encryption key on the same server or device as the ePHI will never be an acceptable practice. Always use a professional encryption key management solution that protects and stores the encryption key away from the sensitive ePHI data.

Encryption is not the only security effort you need to make, but in my experience it is the one thing healthcare organizations tend to ignore. I think this is because the HIPAA law considers encryption an “addressable” security control. This means you are not required to do it IF you have other equivalent controls in place. But if you are not encrypting your data and you have a data breach through Ransomware or other cyber attack, then you have “ipso facto” not protected your information well enough and you are in for a breach notification, OCR/HHS compliance action (ouch!), potential fines, and litigation. That won’t be fun, and it will be a lot more expensive than encryption.

We help a lot of healthcare providers meet the HIPAA security requirement. If you are storing ePHI in SQL Server, MongoDB, MySQL or in a VMware architecture or cloud platform, we have an affordable, easy solution for you. More information on our website:

https://townsendsecurity.com

If you are a Managed Service Provider (MSP) helping healthcare providers meet HIPAA compliance, we have a partner program for you that you are going to love. There is no entity so small that you can’t help them get secure. You can find out more here:

https://info.townsendsecurity.com/msp

Patrick

If you’ve been following this blog recently you know that I’ve been advocating for the use of encryption to help prevent ransomware attacks. Ransomware attackers have been adapting to the new reality that a lot of companies have deployed good backup strategies to recover their files. Without that leverage the attackers can’t extort payments for recovery of your systems.

So, what are they doing now? They are exfiltrating your sensitive data and using that as additional leverage. 

Oh, you have backups and you don’t want to pay? OK, we took your sensitive data and we are going to publish it. Do you have secret intellectual property or business plans? Do you have sensitive medical information on your patients? Do you have sensitive information about children in your care? 

Under this kind of pressure many ransomware victims decide to pay the ransom. 

That’s why it is important to encrypt your data before a ransomware attack. If the attacker can’t read your data because it is encrypted they can’t threaten to release it.

It has been frustrating to me that most security recommendations on how to protect yourself from a ransomware attack omit the step of encrypting your data first.

But that has now changed! And it is long overdue.

Here is what President Biden’s new executive order recommends (emphasis added):

What we urge you to do now:

Implement the five best practices from the President’s Executive Order:President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack. 

And  more ...

And this:

For Federal Agencies:

Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.

Encryption is not the only thing you need to do, but it is a critical part of a ransomware protection strategy. It is heartening to see this being recognized.

There is some good news: Encryption is fast, easy and affordable. If you are a small or midsize organization you will be glad to know that there is an affordable solution for your encryption strategy. Encryption and encryption key management are no longer the headaches they once were. You or your IT Support organization can address your encryption needs in a rapid manner. 

If you are an IT Support Provider or Managed Service Provider trying to help your customers with security, you are going to love our MSP Partner program. Affordable key management for VMware and the cloud, usage-based billing, and no upfront fees. You will be profitable from the first customer. More information here: 

https://townsendsecurity.com/msp

Ransomware attacks can be devastating to an organization, but you have tools to protect yourself. Give us a call.

Patrick

References:

https://image.connect.hhs.gov/lib/fe3915707564047b761078/m/1/8eeab615-15a3-4bc8-8054-81bc23a181a4.pdf

https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/

The Colonial Pipeline ransomware attack and resulting crisis that affected millions of people was shocking because of its scale and impact. Shocking, but it was not surprising. We have been watching an increase in the number of ransomware attacks over the last few months. No organization, large or small, has been immune from the attacks. Hospitals, schools, local governments, national agencies – even police departments and courts – have suffered from debilitating ransomware infections. Colonial Pipeline was the first publicly known attack on critical energy infrastructure, but it won’t be the last.

Most modern ransomware attacks have two components:

• Encryption of your systems to deny you operational access, and
• Theft of unencrypted sensitive data.

The attackers encrypt your data with a secret key and then promise to restore it when you pay the ransom. This is the well-known part of a ransomware attack. You typically must pay the ransom to a secret Bitcoin account controlled by the attackers. After payment, if you are lucky, the attackers will give you the secret key to unlock your data.

There is another, less well-known aspect of ransomware attacks. And that is that the attackers often steal sensitive data before they encrypt it. Why do they do this? Well, if you are able to restore your systems without paying the ransom, they can then use the threat of releasing that data to extort the payment from you. And it is very effective. More on protecting yourself from this aspect of ransomware below.

There is good guidance from security groups and governmental agencies on how to protect yourself from a ransomware attack. Having good backups that are not connected to the network is an important part of that guidance. You should also deploy other security measures like active monitoring for anomalous behavior, appropriate segmentation of users, proper network controls, and so forth. And, never forget that training users in good security hygiene is absolutely essential.

I think a number of organizations have gotten reasonably good at this part of ransomware protection. There are still big gaps, of course. And smaller to midsize organizations are lagging in the deployment of these basic protections. But what to do is no longer the question. Getting it done and doing it right is the challenge.

But what about the second part of the ransomware attack? What happens when the attackers steal your unencrypted sensitive data?

We have to give credit where it is due. Cybercriminals who deploy ransomware are very good at what they do. They’ve learned to adapt to a changing landscape. As you got better at doing backups and recovering your data in a timely fashion, they added another technique to extort a payment – They are taking your very sensitive data. If you refuse to pay the ransom they threaten to release the data. To prove their point they will often release a very small amount of your data.

Imagine your shock when you see highly sensitive medical information showing up on the attacker websites. Or sensitive information about students, or sensitive court records. Suddenly the urgency is much greater, and many pay the ransom when this happens.

Having a good backup is not going to help you now. So, what can you do? It is time to add another tool to your defenses – encryption of your own sensitive data.

You should encrypt your sensitive data to deprive the attackers of access to it. If the attacker steals your data in an encrypted state, it is not usable. Encryption is the security control that you need to add to your ransomware strategy. I know, you’ve been putting implementing this important security control. But the stakes are higher now. If Sony or Equifax had encrypted their data, we would not still be talking about the massive loss of data and the disruption they experienced.

Here are some basics to keep in mind as you deploy encryption:

• Create a map of your sensitive data, and a plan. You should encrypt the most sensitive data first.
• Encryption key management is critical to your security. Use a professional key management system to store keys away from the data. Never store encryption keys on the same server that hosts the data.
• Restrict access to the databases with sensitive data. Only those people in your organization who have a need to access sensitive data should be able to do so. Your DBA will know how to do this.
• Monitor user access to your sensitive data and take immediate action for unautorized access. Use a professional SIEM solution to do this.
• Monitor access to your encryption key management solution. Your KMS is a critical part of your encryption strategy.
• Take advantage of database and storage vendor support for encryption and key management. Using VMware for your infrastructure? Implement encryption of VMs and vSAN. Using Microsoft SQL Server? Implement Transparent Data Encryption with an external KMS for the keys. It is fast and easy, and supported by the database vendor.

There are a lot of reasons why organizations are lagging in terms of encrypting their sensitive data. Fears about performance, fears about lost encryption keys, fears about the cost of key management systems, and so forth. All of these challenges have been overcome in recent years. Put your fears aside and protect your data.

Here is a hint:

Don’t let the PERFECT be the enemy of the GOOD. For example, you don’t have to encrypt everything at one time. Tackle the most sensitive data first, and tackle the easy projects first in order to build experience. Then tackle the remaining projects as quickly as you can. Also, don’t be afraid to deploy key management solutions from different vendors. KMS systems are so easy to manage now that having more than one system rarely increases administrative costs. Find the best, most cost effective KMS solution for your database and use it!

Encryption is your friend when you control it. It can provide protection from cybercriminals who attempt to steal your data in order to extort a payment. You can get encryption done quickly and at a reasonable cost. You don’t have to pay exorbitant licensing fees for a good key management system. If you have cost concerns, give us a call.

If you are a managed service provider trying to help protect your customers, you might like to know about our MSP Partner program. Give us a shout to learn more.

Patrick

Managed Service Providers have a real challenge when they try to talk to their customers about the benefits of encrypting their sensitive data. If your experience is like mine, pretty soon their eyes glaze over and they are wanting to change the subject. I get that - encryption is a subject that only nerds can love. But we also know how important encryption is. So how do we convey that?

One of our MSP partners shared this bit of wisdom:

“Ask them if they carry cyber insurance”.

“Why?” I asked, more than a little confused about how this related to encryption.

“Have you read your policy?” she asked. “Take a look at the section on encryption.” And then she shared a short form application for cyber insurance from a large carrier.

Wow! I’ve had my head in the technical weeds of encryption and compliance for too long. Here is an extract from a short form insurance application:

Indicate whether the Applicant encrypts private or sensitive data:

1. While at rest in the Applicant’s database or on the Applicant’s network __Yes __No
2. While in transit in electronic form __Yes __No
3. While on mobile devices __Yes __No
4. While on employee owned devices __Yes __No
5. While in the care, custody, and control of a third party service provider __Yes __No

I am guessing that many organizations just answer “Yes” to all of these questions without thinking about it. As my MSP partner pointed out, if you respond incorrectly on an insurance application you negate any benefits you might receive. Are they covered in the event of a data breach or ransomware attack? Maybe not. That can be a shocker to the end customer.

Rather than talk about encryption in an abstract way, this MSP talks about their cyber insurance policy and what they need to do to ensure coverage. She said that this is the most effective method she has ever used to get agreement from a customer to implement encryption of their data at rest. She’s never had someone decline to implement this important security control once they realize what is at stake.

My takeaway is this:  not everyone is as excited or interested in encryption as I am. But everyone knows how important it is to have insurance coverage. MSPs know that encryption is a core part of a defense against cyber attacks including ransomware. Modern ransomware attacks include encrypting your data to deny you access, as well as stealing your data and holding you hostage with the threat of making it public. You might have a good backup plan to recover your data, but you can’t defend yourself from the threat of public release if the hacker has your unencrypted data. If the attacker can’t read your data because you encrypted it, they can’t release it to the public.

I hope this practical example helps you talk with your customers about the importance of encryption.

How are we at Townsend Security helping MSPs get the job done?

Our MSP partner program helps MSPs protect VMware infrastructure by providing our key management solution, Alliance Key Manager, on a low cost, monthly usage basis. You can encrypt VMs, vSAN and deploy vTPM easily. Imagine offering encryption to your end customers and not incurring any upfront costs or annual minimum payments for the KMS. Imagine turning encryption into a profit center for your benefit and for your customer’s benefit. Imagine offering encryption to even your smallest customers and knowing that they can afford it!  And, imagine doing this for your hosting platform, for the cloud, and for your customer’s on-premise infrastructure.

Imagine the relief of your customers after a data breach when they learn that cyber criminals did not steal unencrypted data!

Our MSP partners are doing this every day.

If you are a Managed Service Provider and want to know more about our partner program, you can learn more here.

If you are an MSP I hope you will take advantage of our MSP partner program. Talk to us to find out more.

Patrick

Can I also resell Alliance Key Manager?

Yes, you can operate as an MSP and also as a reseller partner for those customers who are not using your MSP services. Reselling Alliance Key Manager is governed by a different agreement. Contact us if you have a resale opportunity.

I need to have our legal team review your MSP agreements. How is this done?

Just contact us. We will send you a copy of the MSP license agreement for legal review. 

We would like to use a copy of the key manager for training and customer demos. How is this done?

We will gladly support your internal training and demo needs. We do this through special Not For Resale (NFR) licenses. All MSP and Reseller partners qualify for NFR licenses for our key manager. There is no charge for NFR licenses.

How do you handle special bids?

While we believe that the MSP program provides you with a lot of flexibility, we understand that special bids are sometimes needed. Contact us to discuss the special bid requirements. We work with our partners around special bids on a frequent basis.

Are volume discounts available?

Yes, if you have a very large number of VMs to encrypt and would like to pay in advance for those we have a discount program available. 

How can I get started?

This web page has information about our MSP partner program and a form to get started. Complete the form and we will get in touch with you:

https://townsendsecurity.com/msp

You can also contact us by email and phone:

Email: sales@townsendsecurity.com
Phone: (360) 359-4400
International: +1 360 359 4400

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

Almost everyone considers encryption a sunk cost. You almost never see any type of Return On Investment (ROI) calculation when it comes to Key Management Server (KMS) systems. Acquiring a KMS system usually falls into the Capital Expense financial category when it comes to budgeting.

Let me change your thinking about KMS systems!

Here is a simple financial calculation based on a fictional MSP business. Let’s assume that as an MSP you charge your end customer $50 per month per managed VM. If you are managing 50 VMs for your customer your gross revenue for that customer is $2,500 per month.

However, you have costs, too. Hardware, VMware licenses, IT experts, administrative costs, etc. Let’s just guess that this might add up to $1,250 per month, or half of the gross revenue. Your margin after direct costs might be $1,250. 

This example is probably extremely generous in terms of your gross margin. I suspect that your costs are probably higher and margins much lower. But let’s run with this example where gross margins are 50% of revenue.

Imagine that you become a Townsend Security MSP Partner and pay $5 per month per encrypted VM on a usage basis. You charge your customer $8 per month per encrypted VM netting $3 per month gross revenue per encrypted VM. The direct costs are very minimal. Your hardware and infrastructure costs are minimal. There are no minimum KMS license fees. There are no extra charges as you expand your use of the KMS. And very minimal IT Expert costs due to the encryption and KMS automation provided by VMware.

You probably just gained an additional $150 in gross margin from this customer. 

That represents a whopping 12% increase in overall gross margin! It is not often that adding one simple service to your business offering can net that much gross margin gain.

This is, of course, a very simplified example. However, I believe that many of our MSP partners are recognizing larger gains as they add VMware encryption to their set of offerings. One MSP partner told me that it is a “no-brainer” for the customer to sign up for the small additional cost per VM for encryption due to its low cost. You can have that experience, too.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

Business continuity and resilience is at the heart of the value proposition MSPs provide to their customers. That means that the key management server (KMS) system at the center of VMware encryption must be able to provide real time recovery along with your service strategy. There are several components to a good high availability (HA) strategy, and these vary from one KMS solution to another. Here is how our Alliance Key Manager integrates with VMware to achieve high availability:

KMS Real Time Mirroring

Alliance Key Manager implements real-time, active-active key mirroring between a production and one or more high availability key servers. When VMware creates a new key on the KMS for an encrypted VM, that key is immediately mirrored by Alliance Key Manager to a high availability key server. Mirroring is done in real time so that you always have a KMS ready to take over. All transmission of encryption keys is performed over a TLS encrypted connection with mutual authentication, and you have the option to deploy a failover key server in a different vCenter environment.

vSphere KMS Cluster Configuration and Automatic KMS Failover

The purpose of the vSphere module called KMS Cluster is to define your key managers to VMware and to establish trust between vSphere and the key server. A KMS cluster is a list of key servers along with connection and credential information. Normally you would define two key servers in a KMS Cluster – one key server for production use and one key server for failover use. By default, the first entry in the KMS Cluster is the production key server, and failover key servers follow in the order that vSphere will use them. vSphere automatically connects to a failover key server in the event it cannot communicate with the production key server.

You are not limited to one KMS Cluster configuration. If you want to deploy a dedicated key manager for a particular customer you can create a new KMS Cluster configuration and define the dedicated key servers in this new configuration.

KMS Backup, Scheduled and On Demand

It is always a good idea to have a backup of your critical applications. Alliance Key Manager lets you define a schedule for automatic, secure backups. The backup server, usually a Linux instance running sFTP, can be located offsite.

Of course, you can always perform a manual backup on demand. This manual backup can go to a local directory on the key server and be downloaded by the administrator for secure offsite storage.

MSP Backup

Most MSPs offer a backup service to their end customers. Since Alliance Key Manager is a normal VMware virtual machine you can use your current backup strategy to back up the key server, too.

Disaster Recovery as a Service (DRaaS)

If you offer your customers a DRaaS service you can also offer them key management through the Townsend Security MSP partner program. You can deploy a key manager on the customer’s premises and mirror keys to your DRaaS service at your hosting site. 

VMware Monitoring

Lastly, we can’t forget that VMware offers a rich set of tools to monitor the health of VMs. You can use those tools to monitor the health of Alliance Key Manager, too. Your MSP license agreement allows you to install VMware Tools on the key manager server. 

In summary there are a number of layers of high availability built into the deployment of Alliance Key Manager. This will give you and your end customer a high level of confidence in the resilience of your encryption offering.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program