An Introduction to Townsend Security's VMware Guidance Document

VMware customers benefit from the many operational, and cost efficiencies provided by VMware virtualization technologies both in traditional IT infrastructure and in cloud environments. As VMware customers deploy data encryption solutions as a part of their defense-in-depth strategy, the need for encryption key management can present barriers to a good encryption implementation. This article provides high-level guidance, general in nature, on how deploy and protect Alliance Key Manager for VMware within your VMware environment. Actual VMware deployments of Alliance Key Manager for VMware will use different VMware applications and architectures to meet specific user, application, and security needs.

General VMware Recommendations

Identify and Document Trusted and Un-Trusted Applications

Properly identifying application groups based on the level of trust is critical for a secure implementation of virtualized applications and encryption key management services. Create and isolate a management cluster for your core VMware applications such as vSphere, vShield, etc. Identify application groups and their associated level of trust, and isolate applications into appropriate application workgroups. Avoid mixing trusted and untrusted applications in a workgroup.

You should consider creating a security workgroup to contain your third party security applications such as encryption key management, authentication services, active directory, system logging, and other applications whose primary function is to assist in securing your VMware environment. Encryption key management services provide by Alliance Key Manager should be implemented in this separate security workgroup used for critical, non-VMware security applications.

In preparation for properly securing these environments, create an inventory of all Virtual Machines managed in each workgroup. For each workgroup and virtual machine, identify the security controls that will be required for each one (network segmentation, storage segmentation, system logging, active monitoring, etc.). VMware flow tools can assist with this documentation.

Restrict Physical Access

Fundamental to all IT security implementations is proper security of the physical environment. This means proper physical security controls and physical monitoring of the data center as well as good auditing and procedural controls. These physical controls should also apply to access to VMware management and security applications. You can look to the PCI Data Security Standards and guidance for information on appropriate physical controls. You can also refer to standard security guidance in SOC 2 and SOC 3 assessments for information on physical controls. When deploying on a cloud platform it is always a good idea to ask the Cloud Security Provider (CSP) for a copy of the PCI letter of attestation, or an SOC 2 / SOC 3 report.

Isolate Security Functions

Because security applications are often a target of cybercriminals, you should isolate them into their own security workgroup and implement the highest level of VMware security. Only trusted VMware administrators should have access rights to Alliance Key Manager, system logs, and audit reports. Be sure to actively monitor access to and use of all encryption key management, key retrieval, and encryption services.

Change VMware Default Passwords

Review all VMware applications used to secure and manage your VMware environment and change the default passwords as recommended by VMware. The failure to change default passwords is one of the most common causes of security breaches.

Implement Network Segmentation

Network segmentation is easy to accomplish with VMware network management and security applications and you should implement network segmentation to isolate applications that process sensitive information from applications that do not require as high a level of trust. Additionally, you should provide network segmentation for all third party security applications such as Alliance Key Manager. Network segmentation should include all high availability and business recovery infrastructure. Do not rely on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.

Implement Defense in Depth

The VMware management and security applications provide for a high level of security and monitoring. They also provide hooks and integration with third party security applications that provide system log collection, active monitoring, intrusion detection,etc. Encryption is a critical part of a defense-in-depth strategy, and protecting encryption keys is the most important part of an encryption strategy. Regardless of the operating systems in your application Virtual Machines, Alliance Key Manager will provide encryption key management, key retrieval, and encryption services for your business applications and databases running in your VMware infrastructure.

Monitor VMware Administrative Activity

Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security workgroup that contains other third party security applications such as Alliance Key Manager.

For more detailed information, read the entire VMware Guidance Document and other materials available in this VMware Resource Kit: 

Organizations running SQL Server Enterprise edition gain the added benefit of SQL Server transparent data encryption (TDE) and extensible key management (EKM). The encryption capabilities of Enterprise edition enable users to easily encrypt data at the column level of a database, and EKM allows users to store encryption keys using a third-party encryption key management solution. These streamlined capabilities of SQL Server Enterprise Edition have made SQL Server one of the easiest databases to encrypt, and therefore it’s popularity hasn’t waned.

One of the biggest issues facing SQL Server users today is maintaining security as users move their SQL databases to the cloud. While Microsoft Azure remains a popular cloud service provider (CSP) for SQL users, Amazon Web Services (AWS) and VMware are also common amongst organizations moving to the cloud, especially those migrating a multi-platform environment. Each of these top-tier CSPs offer security solutions to help you protect your cloud environment; however, when considering security in the cloud there are two important things to remember: The security offered by your CSP won’t provide you with a complete security solution, and the security solutions you bring to protect your data in the cloud can fail if not implemented correctly.

Don’t rely on the cloud for complete security!

Your CSP should provide your business with some security, but their solutions are likely limited. Most CSPs will offer firewall protection, for example. Top-tier CSPs have also undergone some certifications such as Payment Card Industry (PCI) and FedRAMP compliance. It is important to remember, however, that relying on firewalls alone is not enough to prevent intruders, and cloud certifications never mean that your company will automatically meet these compliance regulations as well. A comprehensive data security plan is required for any business operating in the cloud, and this typically requires using third-party security solutions to ensure your business meets compliance and is adequately protecting data.

Remember these two things when protecting data in the cloud:

• The security solutions offered by your cloud vendor are rarely enough to prevent a data breach.
• Just because your cloud service provider is compliant, doesn’t mean you are.

Storing data in SQL Server in the cloud presents new security challenges. Hackers or malicious users can gain access to sensitive data easily through common hacks. Easy hacking of SQL Server is a result from:

• Incorrect configuration of cloud provider’s firewall
• Attacks through weaknesses that could have been addressed by updating and patching SQL Server
• Missing or weak passwords
• social engineering and account hacking
• Lax administrative access

When it comes to securing SQL Server in the cloud, you should also always consult your legal and auditing team (or consultants) before assuming that your data is safe and you are compliant with any industry security regulations. On a general level, it’s important to include these security measures in your holistic security plan:

• Intrusion prevention
• System logging and monitoring
• Encryption & key management
• SSH in place of passwords
• Limited access to sensitive data
• Separation of duties and split knowledge when accessing encryption keys and sensitive data.

It’s important to remember that your business continuity relies on your own security plan. Regardless of the environment, when your organization experience a data breach, ultimately the responsibility is yours. Your customers, as well as your employees, rely on you to protect their data, and if you fail to do so, the consequences may include loss of customer loyalty and a severely damaged brand. The ultimate way to prevent access to sensitive data is using encryption and encryption key management.

To learn more about how Microsoft SQL Server Enterprise Edition can easily be secured in the cloud, download:

Questions and Answers on Encryption and Key Management Projects

VMware® is hands-down the virtualization choice of large and small organizations, and it is easy to see why. Not only is it a highly reliable and scalable platform, VMware also provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines.

Earlier this month, Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data on Microsoft SQL Server in VMware environments, steps to encrypting data on SQL Server (with and without TDE), as well as talk about Townsend Security’s Alliance Key Manager for VMware. Here are a few highlights (download the podcast for the whole conversation):

Paul Taylor: We’ve talked about the Townsend Security encryption and key management solutions for VMware. Today let’s put the focus on Microsoft SQL Server and encryption in the VMware customer environment. Can you give us an overview of how VMware customers can protect data in SQL Server databases?

Patrick Townsend: Just to recap, we really need two things to get encryption right: A key management solution to protect the critical encryption keys, and an encryption solution for the SQL Server database. And they have to talk to each other.

For the first part, our Alliance Key Manager for VMware solution provides a fully functional, enterprise key management solution that protects SQL Server databases as well as other databases and other operating systems.

For encrypting SQL Server, our Alliance Key Manager solution comes with a full Microsoft SQL Server Extensible Key Management Provider. We call this Key Connection for SQL Server and it is one of the modules that our key management customers receive without paying additional license fees. Key Connection for SQL Server provides the encryption and integration with our key server to provide a complete, end-to-end solution for encrypting data in the SQL Server database.

Paul Taylor: Can you talk a little about how Microsoft enables encryption in SQL Server?

Patrick Townsend: If you are running SQL Server Enterprise Edition or higher, you have access to Microsoft’s automatic, full database encryption facility called Transparent Data Encryption, or TDE. You also have access to Microsoft’s automatic, column level encryption facility which Microsoft calls Cell Level Encryption. Both of these options, TDE and Cell Level Encryption,  are implemented without any programming work at all. And both are fully supported by Alliance Key Manager and the Key Connection for SQL Server software from Townsend Security.

Paul Taylor: What about Microsoft customers who aren’t using the Enterprise Edition of SQL Server? Can they encrypt their data with the Townsend Security solution?

Patrick Townsend:  With SQL Server Standard and Web Editions we provide two paths to encrypt data. The first is to use SQL Views and Triggers along with our .NET DLL to provide automatic encryption without any changes to applications. And the second path is to modify your C# or Java applications to use our .NET DLL to perform encryption at the application level.

Both approaches leverage our Microsoft .NET DLLs to perform encryption with integrated key management. Both are very simple to implement. And there are no additional license fees to deploy and use our Microsoft .NET DLLs to accomplish this.

Paul Taylor: So, walk me through the steps for encrypting data in my SQL Server Enterprise Edition database. How difficult is it?

Patrick Townsend: Encrypting data in Enterprise SQL Server is really very easy. The first step is to install our Alliance Key Manager for VMware solution. It launches like any other virtual machine using the normal VMware applications and you can have a key management solution up and running very quickly.

The second step is to install the Key Connection for SQL Server application on the virtual machine running SQL Server in Windows. This is a normal install process with an MSI file. You answer some questions, install a certificate and private key in the Windows Certificate Store, and run a handful of commands to start SQL Server TDE encryption or Cell Level Encryption. You also restart the log file to be sure that it is encrypted as well. That’s about it.

Of course, you will want to follow the instructions on how to set up a high availability key server, and point your Key Connection for SQL Server configuration to it as failover. That is a normal configuration process and also very easy to do. We find that VMware customers can deploy SQL Server encryption very quickly.

Paul and Patrick also cover which versions of SQL Server are supported, the availability of Alliance Key Manager in other platforms (hint: it’s quite versatile), and our 30-day evaluation program (you can do a full proof-of-concept in your own environment at no charge). Be sure to download the podcast to hear the rest of their conversation:

Questions and Answers on VMware Encryption Projects

Every business is trying to save money and reduce complexity in their IT departments, and many are accomplishing this today by using virtual machines such as VMware®. While these businesses’ infrastructures are becoming virtual, their security threats are still very much real.

Recently Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data in VMware, encryption performance, and special encryption and key management concerns for VMware users.  Here are a few highlights (download the podcast for the whole conversation):

Paul Taylor: As VMware customers start to work on encryption projects to protect sensitive data, what are the things they worry about? What concerns them?

Patrick Townsend: VMware customers have made a large investment in VMware technologies. This includes, but is not limited to, an investment in the VMware solution stack that lets them run a variety of virtual machines; administer those machines, monitor the health of the virtual environment, and secure the entire infrastructure of virtual machines and VMware itself.

VMware customers also have invested heavily in the talent needed to run a VMware data center, have adopted governance and risk management procedures specific to a VMware environment, and have invested heavily in migrating existing applications to this platform. It’s a large investment but the payoffs are substantial.

So, when approaching an encryption project the VMware customer really wants to deploy products and solutions that run naturally in VMware. It is painful and concerning to have to deploy solutions that don’t fit naturally.

Paul Taylor: I know that Townsend Security has encryption and key management solutions for VMware customers. Can you talk a little about those?

Patrick Townsend: For any encryption project there are really two major components:

1. The encryption of the sensitive data, usually in a Windows or Linux virtual machine
2. The protection of the encryption keys

An effective strategy in the VMware environment has to address both of these. I think we are doing this very well with our encryption solutions for VMware.

First, our Alliance Key Manager for VMware product provides for the creation, management, and protection of encryption keys in a VMware virtual machine. It runs the same FIPS 140-2 compliant key management solution that we offer in our Hardware Security Modules (HSMs). So VMware customers can get encryption key management right without having to go outside of their VMware infrastructure.

Second, all of our encryption solutions that are deployed to protect sensitive data run in the VMware platform and talk to our key manager. For example, you can deploy our SQL Server Transparent Data Encryption solution for automatic SQL Server encryption in a Windows Server virtual machine, and it will talk naturally to our key management server also running in a VMware virtual machine. It’s a perfect match for the VMware customer.

Paul Taylor:  Encryption has a reputation for being the hardest part of security. How do you address that concern?

Patrick Townsend: Yes, you are certainly right about encryption having a reputation for being hard and expensive to deploy. However, things are really different today. I’ll give you a couple of examples:

First, our VMware key management solution will soon be released as a ready-to-use key manager. This means that the first time you boot our Alliance Key Manager For VMware solution it will ask you a few questions, create a complete configuration for the key manager, and start the service. You literally have a functioning key server in a few seconds. What 5 years ago required multiple engineers and weeks of installation and configuration now gets done in a blink.

Secondly, our client-side encryption applications and SDKs are also designed for rapid deployment. For example, SQL Server Transparent Data Encryption also deploys through a standard Windows install process. Again, you answer a few questions, install credentials into the Windows Certificate store, run a handful of SQL Server commands, and you are fully protected with encryption. It is incredibly easy.

Paul Taylor:  I think everyone worries about performance when you talk about encryption. How well do your encryption solutions perform in VMware?

Patrick Townsend: Performance impacts are a natural thing to worry about. Encryption is a CPU intensive task, and it will have some effect on your application or database. Fortunately modern encryption libraries are very efficient and the impact is usually very modest. Back to our example about SQL Server TDE encryption, the average customer will experience about a 2% to 4% impact when activating TDE encryption. This is very manageable. Large SQL Server databases can pose a performance issue with TDE which is why we also support Cell Level encryption with SQL Server.

We always encourage our customers to try our encryption solutions before they make a full commitment. We make it very easy to do a proof-of-concept project with encryption. Our free evaluations let you take it for a spin and evaluate the impacts yourself.

Paul and Patrick also cover topics on high availability, business recovery, and compliance regulation concerns for protecting data in a VMware environment.  Be sure to download the podcast to hear the rest of their conversation:

Understanding PCI Merchant Levels and how an assessment can help your business

If your business takes credit cards for payment, then you are subject to the Payment Card Industry – Data Security Standards (PCI-DSS).

Companies of all sizes must comply with PCI DSS to ensure that their customers' data is protected during the processing and transmission of credit or debit card transactions and securely stored within any internal databases. PCI categorizes businesses into different classification levels based on the number of transactions and dollar amounts they processes each year.

Level 1 – All merchants processing more than 6 million card transactions annually

Level 2 – All merchants processing between 1 million and 6 million card transactions annually

Level 3 – All merchants processing between 20,000 and 1 million card-not-present only transactions annually

Level 4 – All other merchants

Level 1 companies are most likely well versed in the annual PCI audit process as they have a certified onsite audit annually with a Qualified Security Assessor (QSA). Level 2, 3, 4 merchants are not required to hire an onsite QSA, but can have a certified Internal Security Assessor (ISA) do the PCI self assessment annually. However, a small business preparing a self-assessment to participate in their first PCI review may find it a little daunting. If you're feeling that the PCI assessment process is overwhelming and complicated, understanding this process may be the first step toward putting your mind at ease. If you are a Level 1 merchant, the PCI assessment is a process carried out by a QSA to establish whether or not a business is compliant with security standards relating to the processing of transactions made via a credit or debit card (payment card). PCI compliance assesses your business point of sale system, payment applications, and all interconnecting systems with these goals in mind: (1) to examine your system, (2) to identify vulnerabilities, and (3) to prevent data from being compromised.

It’s not a matter of “IF”, but “WHEN”

If you have already suffered a data breach, working closely to review your assessment and put data security best practices into place will provide you with a roadmap to help avoid future losses. If you have not yet been breached, undergoing an assessment and reviewing your risk tolerance can still be stressful. Understanding the process may alleviate some of that stress and help you to maximize your use of the information in the PCI DSS assessment report

How can a PCI audit help my business?

PCI compliance auditing helps businesses to ensure they are providing the most secure environment for their customers to process payments and ensures that transactions are less likely to result in a compromise in the customers' data.

Ensuring that you meet PCI compliance and have a solid infrastructure for managing data security will increase customer confidence in your business and ensure that you're not exposed to security breaches that could have been avoided. 

To learn more about meeting PCI compliance requirements, download the whitepaper Meet the Challenges of PCI Compliance and find the answers to the following questions (and more):

• What will my auditor look for?

• How can I ensure my customers' data is secure?
• What is the difference between tokenization and encryption?
• What is encryption key management and why are auditors looking at this?

VMware is hands-down the virtualization choice of large and small organizations. And it is easy to see why. Not only is it a highly reliable and scalable platform, but VMware provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines. And did I mention that it totally rocks the scalability challenge?

Let’s look at how VMware customers who run Microsoft SQL Server applications can enable encryption and key management to protect sensitive data and meet compliance regulations.

First Step:

We have to solve the encryption key management challenge. As we like to say around here, the hardest part of security is encryption, and the hardest part of encryption is key management. We have to store the encryption keys separate from the protected data, and use industry standard practices to protect them. With our Alliance Key Manager for VMware solution we make this problem easy to solve. Our key manager comes in a ready-to-deploy OVA format and VMware customers can just launch the key manager with standard VMware tools. Of course, there are some security best practices on how to properly deploy a security application like a key manager in VMware (see the resources section below). With Alliance Key Manager’s Ready-To-Use options you can have your VMware key management problem solved in just SECONDS.

Of course, some of our VMware customers want to protect encryption keys in traditional Hardware Security Modules (HSMs). No problem, Alliance Key Manager can be deployed as a rack-mounted HSM or as a vCloud instance.

The Second Step:

Now we want to enable encryption in SQL Server and protect the encryption keys with Alliance Key Manager. Thanks to Microsoft’s Extensible Key Management (EKM) interface, this is incredibly easy. Alliance Key Manager comes with EKM Provider software that plugs right into SQL Server to enable encryption and protect your encryption keys. We call this our Key Connection for SQL Server application and it installs on your SQL Server VMware instance using a standard MSI install process. Key Connection for SQL Server runs in all SQL Server environments including VMware, hardware, vCloud, and cloud platforms so hybrid environments are fully supported. Install the credentials, select the SQL Server instances you want to protect, answer some questions, type a few commands and you have a fully protected SQL Server database using Transparent Data Encryption (TDE). Again, this takes just minutes to accomplish.

SQL Server also supports column level encryption, which Microsoft calls Cell Level Encryption. It can provide better performance for some SQL Server databases. Yes, that’s also supported through the same Key Connection for SQL Server software.

The beauty of the Microsoft EKM architecture is that you don’t need to modify your SQL Server applications to deploy encryption. Your DBA and security team can get your data protected very quickly without a development project. Anybody got budget for that these days?

Hint

Already encrypting SQL Server but aren’t protecting your encryption key? That’s easy – you can install Key Connection for SQL Server, issue a few commands, and the problem is solved!

The Third Step:

What about high availability, business recovery, clustered configurations, and system logs? We’ve got all of that covered, too. Using the same Key Connection for SQL Server EKM Provider (did I mention that it’s free?) you can configure one or more secondary key servers that function as high availability failover servers for business recovery? Key Connection for SQL Server will automatically failover to secondary key servers if the primary key server is unavailable.

Alliance Key Manager also fits nicely into your active monitoring strategy. You can easily enable forwarding of all key access, key management, encryption, and system activity logs to your log collection server or SIEM solution.

Celebrate Victory and Do It Again!

Alliance Key Manager protects Oracle, IBM, MySQL and other databases as well as web applications and unstructured data. You get to deploy one key management solution to protect everything. And do you know how much it will cost you to do your next project? Nothing, zilch, zed, nada! Alliance Key Manager does not force you to license and pay for client-side applications.

Hint

I’ll talk more in future posts about how to protect other databases and applications in VMware environments. Stay tuned if you run SharePoint, Microsoft CRM or ERP applications, Oracle, or open source databases like MySQL and SQLite.

How Much Better Can This Get?

You can evaluate Alliance Key Manager and Key Connection for SQL Server in your own VMware environment free of charge. Just visit our Alliance Key Manager for SQL Server page and request a free 30-day evaluation.

Encryption and key management? We can get this done right!

Resources:

PCI SSC Virtualization Guidelines

VMware Solution Guide for Payment Card Industry (PCI)

Securing Alliance Key Manager for VMwar

Alliance Key Manager for VMware Solution Brief

Because Hackers Don’t Take a Holiday

Companies earn my loyalty when I know they are looking out for and protecting their customers! So yes, I am truly thankful every day for data security and the encryption & key management solutions that help protect our personal information.

Michelle – Marketing

I’m grateful for all the amazing blessings I receive on a daily basis.  I have a loving and healthy family, dear friends, creative and witty co-workers.  I also get to work for a company that is truly focused on doing good in the world, our community, and here in the office too.   

Robbi – Administration 

I am thankful everyday I wake up and have the gift of another day to spend with my family, friends and doing the things I love.

Ken ~ Marketing

I am thankful for my girls!  (the day we adopted our daughter and became a forever family)

Jim – Development

I am thankful for my family and friends.

Victor – Partner Operations

I am thankful for a happy and healthy family.

David –Support

I’m thankful for biosynthetic insulin!

Shayna – Sales

I am thankful for my family who has always challenged me to be the best version of me.  I am thankful for the family I call my coworkers for always believing in my abilities.  I am thankful for my fiance for always making me feel safe and making me laugh.  I am thankful for my dog Barkley who has brought me pure joy and happiness and my new puppy Lenny who we are getting for Christmas!

Sandra – Administration

I am thankful for our family cabin and the joy that it brings.

Robbn – Support

This is exactly what I am thankful for…  3 of my favorite people!

Tim – Development

I am thankful there’s always more!

James – Sales

I am grateful for my wife and daughter's love.

Luke – Marketing

I am thankful for an awesome, musical family and being able to work with an awesome company that is helping keep your and my personal information safe.

Carol – Administration

I am thankful for my family, and for working at a place where everyone feels like family!

Victoria – Support

I'm thankful for Starbucks hot chocolate.  

Katie – Administration

I’m always thankful for family, friends and community!

Paul – Development

I'm thankful for the way the universe has brought me together with my father, he is 97 and an irascible old guy. But he has an unbounding love for life and an enthusiasm that is fantastic. Unfortunately his zest for living exceeds his physical abilities but to see his love for the moment is wonderful.

Patrick – CEO

I am thankful for my wonderful family, my tolerant and forgiving friends, and for the great community of employees and partners who make Townsend Security successful. Best holiday wishes to them all!

Being surrounded by loved ones, mashed potatoes, turkey, gravy, and pies has become the annual setting where Americans express their thanks each November.  Instead of bottling up all that gratitude to be released on one day, let’s take time throughout the year to show our thanks, express our gratitude, and share with others!  

“Not what we say about our blessings, but how we use them, is the true measure of our thanksgiving.” ― W.T. Purkiser

For many business leaders, the idea of moving to the cloud can be a daunting thing. Fear of the cloud still exists, and this fear is easily understood due to the inherent insecurities of the cloud. A shared, multi-tenant environment would never sound like a safe place to store sensitive business and customer data. The appeal of low-cost data storage clearly has trumped these fears, and today the cloud has become the de-facto platform for all small businesses and startups as well as larger corporations that are continually trying to mitigate costs and choose to use the cloud over buying new, expensive hardware that must be operated in-house.

However, movement to the cloud has not alleviated these fears, and the biggest concern with the cloud remains security. This is largely because there isn’t a standard for securing data in the cloud, and although organizations such as the Payment Card Industry (PCI) and the Cloud Security Alliance publish recommendations around protecting data in the cloud, there are no hardened rules in place for organizations to follow to help them (or make them) secure data and prevent data breaches in the cloud.

The cloud has become a paradox for business leaders desperate to cut costs and manage risk at the same time. Using the cloud to store and process data at a lower cost is an obvious choice; however, such a quick decision often precludes due diligence around risk mitigation. It leads one to ask, if it’s the CEO’s job to govern and manage risk, why isn’t she or he more aware of the risks associated with storing sensitive data in the cloud?

The answer might be this: CEOs aren’t necessarily ignoring the risk, but simply do not know how to ask the right questions in order to adequately assess risk. If they don’t know how to assess risk in a certain area of their business, then there is little way to control that risk. When dealing in a technical landscape where data breaches are the new norm, and the cost of a breach can be millions, the inability to control the risk of a data breach is a massive problem.

For CEOs and business leaders concerned about sensitive data and data breaches in the cloud, it is important to learn the basics of assessing data security risk. A good place to start is by nailing down the answers to these topics:

1. Find out if the customer data your company is processing or collecting must be protected under industry data security regulations and/or state laws. You may be surprised to find out that data not listed under these regulations is now considered “sensitive” in the public eye, such as email addresses, passwords and phone numbers and should also be encrypted.
2. Choose a cloud provider that will work with your compliance needs and help you mitigate risk. If applicable, choose a cloud provider that provably demonstrates commitment to security and privacy by having undergone PCI, FEDRamp, SOC or similar certifications. You may want to have the option of storing some data in a private cloud. Does your cloud provider offer this?
3. Work with your compliance auditor(s) to determine if your cloud solution aligns with industry compliance requirements and best practices. At the end of the day, your auditing and legal counsel should be able to determine if you are securing data to regulations, recommendations and best practices. It is important to remember that meeting compliance is often considered a low bar and that it is typically better to do more than the bare minimum requirements.
4. Document the type of data that you will be storing or processing in the cloud and which compliance regulations apply to encrypting that data. Depending on whether you are handling credit card information, financial information, patient healthcare information, or other types of sensitive data, you may fall under one or more industry data security regulations. Each set of regulations identifies what kinds data need to be encrypted
5. Choose a cloud provider that will allow you to bring your own encryption key management when encrypting data. When encrypting data in the cloud, it is critical to remember that your encryption keys are your keys to the kingdom. If you store your encryption keys with your encrypted data, then anyone who gains access to that data will be able to decrypt it using the encryption keys. Some cloud providers offer key management as a service, which may be an adequate method of protecting encryption keys, but may not be preferable for organizations who want complete control over their encryption keys.

For any business leader concerned with GRC, knowing how to assess risk in the cloud is critical. Download our podcast "Encryption, Key Management, and GRC" to learn about what technologies you can implement to help mitigate a data breach or prevent one from happening altogether.

Many companies, however, do not know how they are being attacked.

Today we want to expose and explore the ways bad actors gain access to, and exploit, your sensitive data.  Follow along as we look at the costs, the causes, and the preventative measures of data breaches. You can click on the info graphic to download additional resources!

Don't forget to click on the info graphic to request additional data security resources!

More Questions from the Tradeshow Floor (Part 2)

In our last blog we touched on a few of the questions asked at events we attended in November.  There were so many great conversations that I’ve decided to share a few more!

With the various platforms that I can deploy an encryption key manager in, how do I know which one is right for me?

There are several factors that will come in to play when deciding where you deploy your key management:

• Compliance regulations that you need to meet can be a factor in whether you deploy an Hardware Security Module (HSM) or a cloud HSM or a virtualized instance. If you are working with an auditor or going through a QSA audit, you'll want to have a conversation with them to understand their expectation from a compliance point of view around where you deploy your encryption key manager.
• Risk tolerance will also come into play. You may have a security group within your organization with strong feelings about how to deploy encryption key management and how to mitigate risk. If you have large amounts of sensitive data to protect you might decide to deploy an HSM in your secure data center. If you're dealing with a very small amount of data and you do not process credit cards or personally identifiable information, your risk assessment may indicate a cloud deployment.
• Budget is certainly always a factor to consider. It is important to consider the cost benefits of security however, we all understand that leaving our data in the clear is no longer an option. It is a matter of understanding your industry regulations and risk assessment, then deciding what encryption and key management to deploy.

While they are generally the most secure solution, Hardware Security Modules (HSMs) can be more expensive than a virtual environment, dedicated cloud instance, or virtual private cloud. Once you look at all the factors that affect your company, we will be there with the right solution that will work for your needs.

Tell me more about all these different options you have for the Alliance Key Management Solution… are they all going to help me meet compliance requirements?

There are still our original hardware security modules (HSMs) and now there are new options for deployment of cloud-based HSMs, virtual appliances (VMware), and true cloud instances of encryption and key management in AWS and Microsoft Azure.

• Hardware Security Module (HSM) is a physical appliance or security device that is protected and tamper evident. Built for high resiliency and redundancy it has hot swappable rated disc drives, dual power supplies, dual network interfaces, and is deployed in your IT data center.
• Cloud HSM is a physical appliance hosted in a secure cloud with real-time encryption key and access policy mirroring.  Dedicated HSMs are hosted in geographically dispersed data centers under an ITIL-based control environment and are independently validated for compliance against PCI DSS and SOC frameworks. No access is available to the cloud vendor or any unauthorized user.
• Virtual Appliances are the exact same key management solution - the same binary software that runs inside the hardware HSM - available as a VMware instance.
• In the Cloud - If you're running on Microsoft Windows Azure, vCloud, or in Amazon Web Services (AWS),the encryption key manager can run as a true cloud instance in a standard cloud or deploy in a virtual private cloud for added data protection for sensitive applications.

Because encryption and key management is so important, we offer all of the options listed above as NIST and FIPS 140-2 compliant solutions.

How is Alliance Key Manager Priced?

We have a wide set of options for our customers, and are dedicated to helping find affordable solutions. We have perpetual license or subscription options for classic HSMs, Cloud HSM, and virtualized environments. Our cloud offerings are true usage-based subscriptions, so if you're used to deploying in Amazon Web Services or Windows Azure, our encryption & key management solutions will fit that same strategy for pricing.  

We really believe that the encryption should go everywhere you need it to go! Your key management should work across a wide set of application environments, and it must be affordable, so that we can all get where we need to be in terms of protecting sensitive data. Regardless of where your data is or what platform you are using, there's a key management solution that can work for you!

How can Encryption and Key Management improve my bottom line?

Whether you choose a designated hardware security module (HSM), something designed specifically for virtualized environments (VMware), or data storage in the cloud, encryption and key management solutions can help you:

• Gain competitive advantage and build loyalty by protecting your customers data against access by unauthorized users
• Reduce hardware costs by leveraging virtual environments in the cloud
• Significantly improve your data security strategy while satisfying data compliance and privacy requirements

Overall, data encryption offers many benefits and provides solid protection against potential threats or theft. In addition to the many benefits, encryption is also efficient, easy to use, and affordable!

What sets Townsend Security apart from other key management vendors?

We want to protect data and make sure encryption is available everywhere you need it, so at Townsend Security we have a very different philosophy and approach:

• We think that when you buy an encryption key manager, you should be able to easily deploy the solution, get all your encryption projects done properly, and have very affordable and predictable costs.
• We understand that we live in a world where budget matters to our customers, so we do not charge client-side fees.  
• We know that IT resources are limited and have done a huge amount of work to make our solutions easy with out-of-the-box integrations, simplified deployments, and also provide along with our solution ready-made client-side applications, encryption libraries, source code samples, as well as SDKs for developers who need them to get their projects done very quickly.

Want to learn more about how to properly secure your data and protect your business against a data breach? Download our eBook “The Encryption Guide”: