Blog | Townsend Security

VMware and SQL Server Encryption – We Can Do That

Written by Patrick Townsend | Dec 2, 2014 5:44:00 PM

VMware is hands-down the virtualization choice of large and small organizations. And it is easy to see why. Not only is it a highly reliable and scalable platform, but VMware provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines. And did I mention that it totally rocks the scalability challenge?

Let’s look at how VMware customers who run Microsoft SQL Server applications can enable encryption and key management to protect sensitive data and meet compliance regulations.

First Step:

We have to solve the encryption key management challenge. As we like to say around here, the hardest part of security is encryption, and the hardest part of encryption is key management. We have to store the encryption keys separate from the protected data, and use industry standard practices to protect them. With our Alliance Key Manager for VMware solution we make this problem easy to solve. Our key manager comes in a ready-to-deploy OVA format and VMware customers can just launch the key manager with standard VMware tools. Of course, there are some security best practices on how to properly deploy a security application like a key manager in VMware (see the resources section below). With Alliance Key Manager’s Ready-To-Use options you can have your VMware key management problem solved in just SECONDS.

Of course, some of our VMware customers want to protect encryption keys in traditional Hardware Security Modules (HSMs). No problem, Alliance Key Manager can be deployed as a rack-mounted HSM or as a vCloud instance.

The Second Step:

Now we want to enable encryption in SQL Server and protect the encryption keys with Alliance Key Manager. Thanks to Microsoft’s Extensible Key Management (EKM) interface, this is incredibly easy. Alliance Key Manager comes with EKM Provider software that plugs right into SQL Server to enable encryption and protect your encryption keys. We call this our Key Connection for SQL Server application and it installs on your SQL Server VMware instance using a standard MSI install process. Key Connection for SQL Server runs in all SQL Server environments including VMware, hardware, vCloud, and cloud platforms so hybrid environments are fully supported. Install the credentials, select the SQL Server instances you want to protect, answer some questions, type a few commands and you have a fully protected SQL Server database using Transparent Data Encryption (TDE). Again, this takes just minutes to accomplish.

SQL Server also supports column level encryption, which Microsoft calls Cell Level Encryption. It can provide better performance for some SQL Server databases. Yes, that’s also supported through the same Key Connection for SQL Server software.

The beauty of the Microsoft EKM architecture is that you don’t need to modify your SQL Server applications to deploy encryption. Your DBA and security team can get your data protected very quickly without a development project. Anybody got budget for that these days?

Hint

Already encrypting SQL Server but aren’t protecting your encryption key? That’s easy – you can install Key Connection for SQL Server, issue a few commands, and the problem is solved!

The Third Step:

What about high availability, business recovery, clustered configurations, and system logs? We’ve got all of that covered, too. Using the same Key Connection for SQL Server EKM Provider (did I mention that it’s free?) you can configure one or more secondary key servers that function as high availability failover servers for business recovery? Key Connection for SQL Server will automatically failover to secondary key servers if the primary key server is unavailable.

Alliance Key Manager also fits nicely into your active monitoring strategy. You can easily enable forwarding of all key access, key management, encryption, and system activity logs to your log collection server or SIEM solution.

Celebrate Victory and Do It Again!

Alliance Key Manager protects Oracle, IBM, MySQL and other databases as well as web applications and unstructured data. You get to deploy one key management solution to protect everything. And do you know how much it will cost you to do your next project? Nothing, zilch, zed, nada! Alliance Key Manager does not force you to license and pay for client-side applications.

Hint

I’ll talk more in future posts about how to protect other databases and applications in VMware environments. Stay tuned if you run SharePoint, Microsoft CRM or ERP applications, Oracle, or open source databases like MySQL and SQLite.

How Much Better Can This Get?

You can evaluate Alliance Key Manager and Key Connection for SQL Server in your own VMware environment free of charge. Just visit our Alliance Key Manager for SQL Server page and request a free 30-day evaluation.

Encryption and key management? We can get this done right!

Resources:

PCI SSC Virtualization Guidelines

VMware Solution Guide for Payment Card Industry (PCI)

Securing Alliance Key Manager for VMwar

Alliance Key Manager for VMware Solution Brief