Townsend Security Data Privacy Blog

Business continuity and resilience is at the heart of the value proposition MSPs provide to their customers. That means that the key management server (KMS) system at the center of VMware encryption must be able to provide real time recovery along with your service strategy. There are several components to a good high availability (HA) strategy, and these vary from one KMS solution to another. Here is how our Alliance Key Manager integrates with VMware to achieve high availability:

KMS Real Time Mirroring

Alliance Key Manager implements real-time, active-active key mirroring between a production and one or more high availability key servers. When VMware creates a new key on the KMS for an encrypted VM, that key is immediately mirrored by Alliance Key Manager to a high availability key server. Mirroring is done in real time so that you always have a KMS ready to take over. All transmission of encryption keys is performed over a TLS encrypted connection with mutual authentication, and you have the option to deploy a failover key server in a different vCenter environment.

vSphere KMS Cluster Configuration and Automatic KMS Failover

The purpose of the vSphere module called KMS Cluster is to define your key managers to VMware and to establish trust between vSphere and the key server. A KMS cluster is a list of key servers along with connection and credential information. Normally you would define two key servers in a KMS Cluster – one key server for production use and one key server for failover use. By default, the first entry in the KMS Cluster is the production key server, and failover key servers follow in the order that vSphere will use them. vSphere automatically connects to a failover key server in the event it cannot communicate with the production key server.

You are not limited to one KMS Cluster configuration. If you want to deploy a dedicated key manager for a particular customer you can create a new KMS Cluster configuration and define the dedicated key servers in this new configuration.

KMS Backup, Scheduled and On Demand

It is always a good idea to have a backup of your critical applications. Alliance Key Manager lets you define a schedule for automatic, secure backups. The backup server, usually a Linux instance running sFTP, can be located offsite.

Of course, you can always perform a manual backup on demand. This manual backup can go to a local directory on the key server and be downloaded by the administrator for secure offsite storage.

MSP Backup

Most MSPs offer a backup service to their end customers. Since Alliance Key Manager is a normal VMware virtual machine you can use your current backup strategy to back up the key server, too.

Disaster Recovery as a Service (DRaaS)

If you offer your customers a DRaaS service you can also offer them key management through the Townsend Security MSP partner program. You can deploy a key manager on the customer’s premises and mirror keys to your DRaaS service at your hosting site. 

VMware Monitoring

Lastly, we can’t forget that VMware offers a rich set of tools to monitor the health of VMs. You can use those tools to monitor the health of Alliance Key Manager, too. Your MSP license agreement allows you to install VMware Tools on the key manager server. 

In summary there are a number of layers of high availability built into the deployment of Alliance Key Manager. This will give you and your end customer a high level of confidence in the resilience of your encryption offering.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

We often get questions from MSPs about deploying our Alliance Key Manager solution across multiple vCenter nodes. Here is some good news for our MSP partners:

Multiple MSP Hosting or Cloud Locations

Many MSPs operate multiple regional hosting centers. Even small MSPs will typically have two locations in order to support high availability and backup. Each physical location will have one or more vCenter servers. Multiple vCenter clusters are not uncommon at a single data center location. Global MSPs often have to work within a country’s data sovereignty laws. This means a data center in each designated country. This increases the number of key management servers (KMSs) that must be deployed.

Production and High availability Key Servers

Under the Townsend Security MSP partner program, there are no licensing restrictions and you can run as many KMS servers as you wish. This typically means running two key servers in each vCenter environment – one for production and one for high availability (HA) failover. Since the MSP partner program involves a usage based cost model, you can deploy as many KMS servers as you need. You only pay for the encrypted VMs and vSAN directories regardless of physical location and number of key servers.

Customer Dedicated Key Servers

You may find the occasional customer who doesn’t want to share a key server with other customers. VMware makes this easy to accomplish. You can just create a new KMS Cluster definition and add the new production and failover key servers to this configuration. The start encryption of VMs and vSAN for that end customer using this new KMS Cluster configuration. Voila! Since there is no licensing cost for deploying key servers this is a cost effective way of meeting this customer requirement. You just report this customer’s encrypted VMs and vSAN directories during normal monthly reporting.

On-premise to Hosted or Cloud vCenter Nodes

If you are managing an end customer’s on-premise IT infrastructure, you can also deploy Alliance Key Manager on-premise and mirror to a hosted or cloud vCenter node. This is especially helpful to MSPs who are providing Disaster Recover as a Service (DRaas). The production environment can be in the end customer’s data center and you can mirror encryption keys to an Alliance Key Manager failover key server in your own environment. This helps achieve seamless failover for your customer.

Customer Dedicated vCenter Nodes

It is also not uncommon for an MSP to dedicate a vCenter server to a specific customer. That customer may have heightened security concerns, or may not want to share infrastructure with other customers. There may be corporate governance and security restrictions that require this. Again, MSPs only pay for the number of encrypted VMs and vSAN directories, regardless of the number of vCenter clusters and how they are used, and regardless of physical location.

In summary, we provide our MSP partners with all of the flexibility they need to support current customers and attract new customers. VMware encryption is a core security control that your customers demand, and you now have the tools to meet the need.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

In this blog series we’ve put the focus on the MSP’s challenges. Now let’s talk about how we at Townsend Security are helping meet those challenges.

Two years ago Townsend Security treated its MSP customers the way most legacy KMS vendors do. That is, we were a part of the problem. Thanks to the coaching and mentoring of some MSP leaders, we came to understand the need for a new approach, and we launched our MSP partner program. 

Key elements of our MSP partner program:

MSPs need confidence in the key management solutions they deploy. Townsend Security has been providing their Alliance Key Manager solution for VMWare for more than 10 years. Alliance Key Manager is certified by VMware for every release of vSphere and vSAN that support encryption, it is FIPS 140-2 compliant, and it is validated to PCI-DSS compliance.

The Townsend Security MSP partner program provides their key management server (KMS) to the MSP with no upfront license fees and no annual minimums. In fact, there is no perpetual or subscription license agreement at all, just a simple end user license agreement tailored for the MSP. The MSP gets training from Townsend Security and deploys the KMS into production. The cost of the solution is based on a low monthly charge per encrypted VM and vSAN directory. Just pay for what you use and nothing else. You can scale up and down your use of the KMS as needed. 

How many KMS servers can you deploy? As many as you want. You can share a KMS server across multiple customers, or deploy a dedicated KMS for a customer. You can deploy the KMS in your hosted environment, in the cloud (AWS, Azure, Google, IBM, etc.), and on the customer’s premises. No license or cost per KMS server, no restriction on the number of keys, no restriction on the number of encrypted VMs

Each month you will report the number of encrypted VMs and encrypted vSAN directories you are managing. Payment is also simple and is made electronically through ACH bank transfer, wire transfer, or credit card. 

Townsend security provides full 24/7 technical support for business interruption issues. There is no extra charge for software maintenance and support. 

It is not just all about technology. We also help you with marketing content, joint webinars, joint podcasts and security reviews. We understand that the typical MSP has a lot on their plate and does not need to spend time on deep security questions. We’ll help answer those tough customer questions about encryption and key management. 

We are committed to helping you be successful. We align with your business, service and revenue models. We will train your team. We will support your technical team. And we will help you with marketing support. Our goal is to lean in and help, and take risks with you. We want to be the KMS partner you’ve always wanted.

MSPs have told me that the current COVID crisis is impacting their business and revenue streams. They are losing some customers and revenue but are seeing increased demand from existing customers. Everyone seems to need more help from the experts. It’s a tough time for MSPs. Now is the time to migrate your existing KMS deployment to Alliance Key Manager and gain predictability and scalability in your KMS costs. It’s easy to do.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

MSPs fine tune their services to satisfy customers. You are the experts in configuring, deploying, monitoring and protecting the customer’s sensitive applications and digital assets. The services you offer are crucial to organizations large and small.

So why don’t MSPs lead by offering VMware encryption?

It often boils down to the Key Management Server (KMS).

KMS vendors by and large are stuck on old and costly licensing models. It is not uncommon to find legacy KMS vendors charging in excess of $200,000 for an initial deployment in an MSP’s infrastructure. On top of that there are often additional charges as you do more encryption, and annual maintenance and support fees. This represents a major upfront investment by the MSP with no guarantee of realizing a positive return on that investment. This KMS pricing and licensing model almost assuredly locks out a small to midsize MSP.

Then there is the complexity of most KMS systems. The MSP may have to invest a lot of time and resources in learning how to configure, deploy, and maintain the KMS. An MSP needs technology to be simple. Why? The complexity of end customer systems means that the average MSP has to know dozens or even hundreds of hardware and software application systems well. When you factor in PC, Server, Web, and Remote support, the MSP is responsible for a massive knowledge base and trained internal staff. A complex KMS system is just sand in the gears and another headache. It should be better, and it can be better. 

KMS deployments can also be complex and not match the MSP business model. It is not uncommon for MSPs to charge their end customers a monthly fee based on the number of VMs and vSAN directories under management. When a KMS system requires handholding for each end customer, and uses a legacy pricing model with annual minimum payments and commitments, it becomes a nightmare for the MSP to realize a gain on encryption.

For all of these reasons many MSPs avoid encryption. It is understandable. Here is what one MSP told me before they learned how we approach the KMS need:

“You said the magic words of MSP and Low cost, consumption based! We’ve struggled to find a KMS solution we can properly price and sell to our customers to do VM encryption. Solutions like XXXXXX are prohibitively expensive. Your low cost per encrypted VM per month is very reasonable. I’m glad those MSP’s helped you understand our market and that you were able to see the opportunity. You NEED to be marketing this. You’re solving a problem that MSP’s a) don’t think they can afford to fix, and b) are just ignoring the compliance of because it’s “too hard and too expensive.” I highly encourage you to get the word out through marketing to MSP’s. Thank you, Patrick. You made my day.”

Sound familiar?

In the next blog I will describe how we are solving the KMS headache for MSPs. Not only can we make life easier, encryption can be a profit center for you without tipping over your business or putting you at a competitive disadvantage.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

VMware has been very sensitive to the security needs of its Enterprise customers. They know that VMware infrastructure and applications are critical to an organization’s overall security. Network segmentation, access controls, monitoring and many other VMware applications help the MSP protect their customer’s applications and data. When it comes to encryption of sensitive data, VMware has your back, too!

Encryption of VMs was introduced with vSphere 6.5. With this version you could easily select VMs that you want to be encrypted, and quickly and easily start encryption. The MSP VMware administrator can easily see which VMs are encrypted and which were not. Of course, the architecture fit right into the normal VMware architecture. vCenter, vSphere, ESXi all come into play during the implementation and maintenance of the encrypted state of the VMs. A real bonus is that the performance of encrypted VMs is stellar. MSPs rarely need to add additional resources to implement encryption of VMs.

Encryption of vSAN was introduced in vSAN 6.6. The implementation of encryption support is quite different than encryption of VMs, but the encryption key management interface is exactly the same (more on that below). vSAN encryption has been a boon to MSPs. Typically the MSP has relied on storage hardware encryption which often is less expensive, but harder to manage. And encryption key management is generally weak in hardware solutions. Using vSAN lets the MSP integrate the rich set of VMware applications and security. With vSAN encryption you get a flexible place to store commercial and open source databases, big data repositories, and much more. All encrypted efficiently by VMware.

Some MSP customers want to implement TPM to protect their application OS images. Hardware based TPM has many disadvantages in a VMware environment. However, VMware now supports virtual TPM (vTPM) which is much more flexible and resilient in VMware infrastructure. And the good news is that vTPM handles key management in the same was as vSphere encryption of VMs and vSAN encryption of directories. A big plus!

With all of this great support for encryption, how do we properly manage encryption keys? This is a core requirement of compliance regulations and security best practices. VMware handles this well. The key management configuration is provided by the vSphere KMS Cluster configuration. With KMS Cluster configuration you can configure your key management interfaces one time and all of the VMware encryption applications use this definition. And more good news – the interface to key management systems is based on the open OASIS Key Management Interoperability Protocol (KMIP). This means that you have a lot of flexibility and choice in your acquisition and deployment of a KMS for your encryption deployment. (We will talk more about our Alliance Key Manager solution in a following blog).

Key management systems are inherently complex, and the KMIP protocol is also complex. As an MSP you don’t have to deal with this complexity, VMware handles all of the technical implementation. To help VMware customers and partners understand which KMS systems work well with VMware, they make available a certification program for KMS vendors. A KMS vendor who implements the KMIP standard (we are one) can certify their solution for use with VMware. This really sets VMware apart from many infrastructure platform providers. They have made the certification process easy for KMS vendors and publish the results. This means the MSP has an easy way to determine if a key management system is compatible and reliable.

All VMware releases that support encryption also support encryption key management in the same way. This consistency from one release to the next means no disruption to the MSP operating environment after an upgrade, and assurance of the MSP investment in internal training and KMS investments.

Version 7 of VMware now supports a new encryption security interface called Trusted Authority, or vTA. The previous encryption interfaces are still fully supported, but now you have a new option for encryption and key management. vTA offers slightly different architecture and a higher level of security that some organizations need.

All of these features that VMware has implemented make it easy for the MSP to provide encryption support to end customers. In the next blog we will talk about the challenges MSPs face and how to overcome them.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

This is the first in a series of blogs on the topic of Managed Service Providers (MSPs) and VMware encryption. They are meant to be read in order as each blog topic builds on the previous topics, and leads to the next. 

As an MSP, I hope you will take this journey with me about VMware encryption, the technical and business challenges you are facing, how Townsend Security solves these challenges, and the surprising business benefit waiting for you when you offer your customers encryption under your MSP service umbrella. 

Here is the complete topic list:

1. Why do MSP customers want encryption of their VMs and vSAN (this blog)
2. What has VMware done to help with encryption security?
3. What are the biggest obstacles to offering VMware encryption to customers?
4. How does Townsend Security help an MSP overcome the KMS challenge?
5. KMS for multiple vCenter clusters and nodes
6. As an MSP how do I ensure high availability for encrypted VMs?
7. How can an MSP use encryption security to improve revenues and profitability?
8. Some common questions and how to get started with the Townsend Security MSP partner program

Customers of MSPs read almost daily about data breaches and ransomware attacks, and are rightly concerned about the security of their data under the control of the MSP. MSPs are usually the lead security provider for these customers and bring a great deal of expertise to the deployment of security solutions. Let’s explore the some of the concerns and motivations of the MSP end customer:

Regulations, regulations, and more regulations:

In addition to the fear of a data breach, customers are also concerned about regulations like the California Consumer Privacy Act (CCPA), the New York SHIELD Law, HIPAA, PCI-DSS, GDPR, and many others. No one wants to be subject to compliance actions and litigation due to a data breach. It is natural for a business or organization to turn to their MSP for assurance that their sensitive information is safe and security meets compliance regulations.

Business secrets and intellectual property:

In addition to the regulatory concerns, many small businesses and organizations are concerned about the compromise of business secrets and intellectual property. We now know that a number of state actors are aggressively attempting to steal this type of information. While business secrets and IP are a different category of sensitive information, the loss of this information can be devastating to a business or organization. It can take years to develop new ideas and move through the IP protection process. The compromise of this information can destroy the value of a company, and years of work by its employees and investors.

Reputational risk:

Lastly, the loss of any sensitive information can harm the reputation of an organization. If your value to an end customer involves managing aspects of their sensitive information, losing that information can cause irreparable damage to customer trust. We can all think of retailers, credit reporting agencies, government agencies, and many others who have had large data breaches. It affects consumer behavior and can exact a financial penalty for many years. No one wants to suffer reputational damage from a preventable data breach.

A data breach can be an existential event. According to Cybercrime Magazine about 60% of small companies close within 6 months of a data breach. This is an astoundingly high number. If you think about it, the surviving 40% of companies probably experienced a lot of distress recovering from the data breach. How much lost opportunity was there? 

For MSPs, the takeaway is that your customers are concerned about encryption to protect their sensitive data, business secrets, and look to you to provide solutions. How can MSPs turn that into actions that are based on security standards and which provide a justifiable business opportunity?

Stay tuned.

More Reading

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

Every now and then something completely unexpected happens that changes your life. No, I’m not talking about the COVID pandemic - that’s a completely different story. What happened for me is that in the course of my work in business development of our key management server (KMS), I met the CEOs of two different Managed Service Providers (MSPs) and they welcomed me into their world. With grace and patience, they helped me leave behind my preconceived notions about software sales and introduced me to how their world works. Neither of these two CEOs were obligated to mentor me and to give me their time, but I am so grateful that they did. It opened a new vision for me and our team here at Townsend Security.

If you work at an MSP firm, I hope you will read on. I will tell you how I turned my lessons into real benefits for the MSP.

Managed Service Providers are varied in what they do, but at the core of their business is the desire to provide IT expertise, hosting facilities, business continuity and disaster recovery, and lots of other IT services to small and large organizations. They do everything from fixing user PCs to deploying top-end servers, security, and cloud services. Expertise is at the core of the value they provide to organizations. During the COVID crisis, they are on the front lines of trying to help everyone migrate to work-from-home and they are trying to secure that environment.

They are just some of the quiet, hidden heroes who don masks and rush into data centers and offices to keep us all operational. They provide great value to organizations especially in the current crisis. These MSPs taught me about their business and about the difficulties they have with key management vendors. In a time when security is top of mind for their customers, they struggle with a KMS industry that is stuck in the past. We were definitely one of those. As we talked, the light came on for me. All of the problems they were having with KMS vendors were problems that we could solve! All it took was a commitment from us, and a change in our business practices.

Here are some things I learned from my MSP CEO mentors:

• Their businesses run on a usage-based model. For example, they might host a VMware environment for an end customer and charge them on the basis of the number of Virtual Machines (VMs) or vSAN storage they manage on a monthly basis. They provide immediate, on-going value to their customers and they prove their worth on a day-to-day basis.
• They deploy third-party software solutions to help them accomplish their mission. They prefer to use software solutions that match their business model. For example, some of the common backup solutions like Veeam can be deployed by MSPs on a per-month, per-VM basis. It’s great when an MSP can deploy these types of solutions on a usage basis. It is how they run their business and greatly reduces their risk. KMS vendors are not helping.
• MSPs live in a complex technical world, and they have special needs from their software vendors. They probably deal with more technical complexity than any other IT segment. Hardware, software, Windows, Linux, security, networking, cloud, smart phones – where does it end? This means they need software solutions that are easy to install, deploy, manage and report on.
• An MSP deals with a lot of software “vendors”. What they really need are software
  “partners”. A software vendor sees the MSP as a resource (money) extraction
  opportunity. A partner is someone who saddles up and goes into battle with you. With a partner, you will either win together or lose together. This is an incredibly important distinction to the MSP, and a really big challenge to the software vendor.
• The MSP needs more than a software solution from a partner. With all of the complexity of the services an MSP delivers, the MSP needs help from the software partner to sell the solution, to support the solution, and to be a trusted advisor. Can the software partner help with sales collateral? How about with joint sales calls? Can we do joint webinars and podcasts that help build confidence in customers and potential customers?

Here at Townsend Security we live in the world of data security. We have encryption and key management solutions to protect data at rest. We have a number of MSP customers. Before I had the conversation with our MSP mentors, we approached each of our MSP customers the way any legacy software company would. We offered the basic perpetual and subscription licenses. We have always been very price competitive, but it was basically a take-it-or-leave it approach. We charged for each key manager that we sold.
We were a perfect example of the “vendor” problem the MSP experiences. So, we set out on a journey to see if we could align our business with MSPs and become the “partner” they want and need. It meant changing a lot of our assumptions and business practices. You will know when you have a true partner when they lean in with their marketing and technical teams to make you successful. Our goal is to be that partner!
Here are some of the things we’ve done:

• Adopted a Pay-As-You-Go model for MSP partners. We now charge a very small monthly fee for each encrypted VM or database. Gone are the perpetual and annual subscription licenses. Scale up or scale down as you like. We get paid when you get paid. Full stop.
• Dropped all upfront fees or annual minimums. We are aiming for perfect cost and
  revenue predictability for your MSP business.
• Stopped counting the number of key management servers the MSP runs. The MSP
  deploys key servers in the way that makes sense. Multiple physical hosting sites, on-premise deployments, Disaster Recovery as a Service (DRaaS), encrypted storage? We don’t care, we are all in.
• We trust the MSP to deliver their services and expertise on their hosting or cloud
  platform, and on their customer’s premises. MSPs conduct their businesses in a variety of ways. If we achieve true partner status you will feel that we are fully behind you and support you and take the risks with you.
• We train the MSP on how to deploy our solution. We have video, on-line
  documentation, and one-on-one training to help you get up and running quickly. We don’t charge for training; we just lean in to help you get the job done.
• We support the MSP with 24/7/365 business interruption support program at no extra charge. Support is built right into the low monthly fee.
• Provide sales support by doing joint customer calls, answering security questions, and providing guidance on meeting compliance regulations. We don’t charge for helping you close a sale; we will win the deal together.
• Provide sales collateral that includes sell sheets, educational material, joint webinars and podcasts, and much more. We don’t charge for sales and marketing collateral.

I feel like I’ve been on a fast learning track and have gained some great new friends. They are sharing with us what they need, and we are leaning in to help them be successful. It is an immensely rewarding experience.

Here is what one of our MSP customers said:

“You said the magic words of MSP and Low cost, consumption based! We’ve struggled to find a KMS solution we can properly price and sell to our customers to do VM encryption. Solutions like XXXXXX are prohibitively expensive. Your low cost per encrypted VM per month is very reasonable. I’m glad those MSP’s helped you understand our market and that you were able to see the opportunity. You NEED to be marketing this. You’re solving a problem that MSP’s a) don’t think they can afford to fix, and b) are just ignoring the compliance of because it’s “too hard and too expensive.” I highly encourage you to get the word out through marketing to MSP’s. Thank you, Patrick. You made my day.”

If you are an MSP we would like to “make your day.” You can start your journey here. 

Evaluations of our Alliance Key Manager are available at no charge. We provide technical
support through the evaluation at no charge. Let’s do this together!

Patrick

This blog is an excerpt from the white paper Delivering Secure VMware Hosting with Encryption & Key Management.

VMware is the most trusted name in on-premise computing infrastructure. Its ease of use and administration, reliability and security provide exceptional services to small and large organizations alike. As organizations move to the cloud, there are now a large number of VMware hosting partners and managed service providers (MSPs) who provide off-premise deployments of VMware and an extensive array of VMware management and administrative services. This white paper discusses how Townsend Security is helping VMware hosting providers meet the challenge of encryption and encryption key management, while supporting the usage-based business model core to many of these hosting providers.

VMware Architecture and Benefits

The benefits of VMware in the data center are now well recognized. Reduction in hardware and utility costs, reduction in administrative costs, improvement in managing ever-changing workloads, resilience and business continuity, and exceptional security are just some of the primary benefits. This is why VMware is the leading infrastructure virtualization technology on a global basis.

In recent years VMware has embraced the movement to the cloud with key partnerships with leading cloud service providers. What is less well known is that VMware has spawned and supports a broad set of hosting providers that serve local and regional markets. These VMware hosting providers also provide the expertise and managed services that many large cloud providers do not. 

The growth of the VMware hosting provider eco-system provides important support for VMware customers. Customers now have many options for managing their VMware infrastructure on premise or at a VMware hosting provider data center. Many customers maintain both on-premise and hosted environments to meet their business needs. The VMware eco-system is growing and resilient, and an important part of the IT services landscape.

VMware and Security

While VMware has always been a leader in IT security, the company recognized the importance of encryption and proper encryption key management to meet security best practices and evolving compliance regulations. In 2016 VMware released version 6.5 of vSphere which enabled built-in support for encryption of virtual machines (VMs) and virtual storage (vSAN). In any encryption strategy, it is important to protect the encryption keys using a purpose-built key management security system that secures the keys away from the protected information. The VMware security architecture integrates with a key management server (KMS) to protect the encryption keys that are used by ESXi and vSAN. The interface between vSphere and the key management server is based on the Key Management Interoperability Protocol (KMIP), an open standard for KMS systems. 

In vSphere the administrator defines a primary key manager and one or more failover key managers using the KMS Cluster module. vSphere manages the failover to a backup key server in the event the primary key server is not available. This also enables failover to a disaster recovery VMware node in an automatic fashion. The result is a robust implementation of encryption with key management based on the open OASIS KMIP standard and deployed in a highly resilient fashion.

VMware Hosting and MSP Partners

VMware hosting partners and MSPs are called on to deploy proper security in the VMware infrastructure. Security is largely provided by native VMware applications such as NSX and others. However, the deployment of a key management system depends on support from third party KMS vendors. Townsend Security is one of those vendors with its Alliance Key Manager solution.

Unfortunately, most enterprise KMS systems are expensive, difficult to deploy, lack needed failover reliability, and have complex licensing and management requirements. Many VMware hosting providers provide their infrastructure and services on a usage-based model. Enterprise KMS systems generally do not fit this delivery, reporting and billing model.

Townsend Security is solving this problem by providing its Alliance Key Manager solution on a usage basis. VMware hosting providers will benefit from the Townsend model as it matches their business delivery model and makes KMS affordable to their end customers. When your encryption key management strategy lines up with your business model you are able to manage your growth in a predictable way.

Delivering Compelling Hosting and Services

VMware hosting providers and MSPs are rapidly changing the way that VMware customers are managing their IT infrastructure. These VMware partners are filling a services and support gap left by typical, large cloud service providers. Hosted VMware infrastructure, Disaster Recovery as a Service (DRaaS), automated backup and recovery, and expertise on demand provide compelling value to VMware end customers. 

Townsend Security’s Alliance Key Manager is filling the KMS gap for VMware hosting providers and MSPs by providing an Enterprise KMS system that matches the way they do business. Gone are the complexities of sourcing, deploying, licensing and administering a KMS for the VMware environment. Townsend Security empowers the VMware hosting provider with on-premise and customer premise solutions for every VMware KMS need.

We are all working from home now. At least, in the technology world that seems to be true. What does this mean from a security standpoint? Here are a few thoughts:

Technology workers (programmers, project managers, customer support staff, pre-sales engineers, etc.) are generally pretty comfortable with remote work. This is the result of a multi-year trend driven by talent shortages, distributed organizations, and out-sourcing. However, traditional finance and administrative workers tend to be more office-centric. They are rapidly adjusting to working at home and figuring out how to balance work in a home environment. Kids in your space? Yup, it’s a big adjustment for everyone when you suddenly move from office to home.

With COVID-19, we are doing work-from-home to better protect our colleagues, our families, and our friends and community. It is critical that we do physical distancing and get it right. It is truly a matter of life and death. 

I believe that there are security implications to this change, too. Corporate systems are at more risk. 

When we move workers from the office to home, we expand the attack surface. Our home PCs and networks have probably not had the same security scrutiny that office systems have. But those home PCs now have access to the corporate network. There is a lot of use of VPN, Remote Desktop Protocol (RDP), and terminal emulators like GoToMyPC to get connectivity. I think in a lot of cases the security exposure has increased as we deal with the COVID-19 pandemic. 

We need to take this expanded threat to our corporate systems seriously. Cybercriminals will happily use any new weakness to access our sensitive data. It may be a lot easier to break into your home network and jump to the corporate network.  Here are some things you can do right away:

• Start reviewing home PCs and networks like you would internal systems. And start with your system and network administrators. They often hold highly authorized credentials. Create a special team to get this done as quickly as possible. 
• Make a prioritized list of your application databases that hold sensitive data. Or, if you have the list, do a quick review and update as needed. You probably have some databases that are easy to protect with encryption and good encryption key management.
• These databases are fast and easy to protect: Microsoft SQL Server (TDE), MySQL, MongoDB, and Oracle Database. You can get these common databases under encryption protection very quickly. 
• Do you use VMware for your IT infrastructure? You probably do. It is very fast and easy to implement encryption of VMs and vSAN. This is a fast and easy win.
• Get management buy-in. We all know that we have an emergency on our hands. Enlightened management will get on board quickly. They are going to have to approve new human resource assignments and some new budget. 

We are in uncharted territory with COVID-19. Here at Townsend Security we are committed to helping you survive this challenge. We will help you get the data security you need. Just talk to us.

Patrick

I am often asked about public cloud provider encryption key services like AWS KMS and Azure Key Vault. There are substantial differences between an Enterprise Key Management System (we have one) and the key services provided by Amazon and Microsoft (and Google has one, too). Enterprise Key Management Systems provide dedicated, full lifecycle key management under your exclusive control. Cloud key services provide a small subset of encryption key management support, in a non-dedicated, multi-tenant, shared environment. 

Perhaps the best way to show the differences is in a side-by-side table comparing our Alliance Key Manager for AWS and Azure, and Cloud Service Provider (CSP) key services: