Townsend Security Data Privacy Blog

Almost everyone considers encryption a sunk cost. You almost never see any type of Return On Investment (ROI) calculation when it comes to Key Management Server (KMS) systems. Acquiring a KMS system usually falls into the Capital Expense financial category when it comes to budgeting.

Let me change your thinking about KMS systems!

Here is a simple financial calculation based on a fictional MSP business. Let’s assume that as an MSP you charge your end customer $50 per month per managed VM. If you are managing 50 VMs for your customer your gross revenue for that customer is $2,500 per month.

However, you have costs, too. Hardware, VMware licenses, IT experts, administrative costs, etc. Let’s just guess that this might add up to $1,250 per month, or half of the gross revenue. Your margin after direct costs might be $1,250. 

This example is probably extremely generous in terms of your gross margin. I suspect that your costs are probably higher and margins much lower. But let’s run with this example where gross margins are 50% of revenue.

Imagine that you become a Townsend Security MSP Partner and pay $5 per month per encrypted VM on a usage basis. You charge your customer $8 per month per encrypted VM netting $3 per month gross revenue per encrypted VM. The direct costs are very minimal. Your hardware and infrastructure costs are minimal. There are no minimum KMS license fees. There are no extra charges as you expand your use of the KMS. And very minimal IT Expert costs due to the encryption and KMS automation provided by VMware.

You probably just gained an additional $150 in gross margin from this customer. 

That represents a whopping 12% increase in overall gross margin! It is not often that adding one simple service to your business offering can net that much gross margin gain.

This is, of course, a very simplified example. However, I believe that many of our MSP partners are recognizing larger gains as they add VMware encryption to their set of offerings. One MSP partner told me that it is a “no-brainer” for the customer to sign up for the small additional cost per VM for encryption due to its low cost. You can have that experience, too.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

Business continuity and resilience is at the heart of the value proposition MSPs provide to their customers. That means that the key management server (KMS) system at the center of VMware encryption must be able to provide real time recovery along with your service strategy. There are several components to a good high availability (HA) strategy, and these vary from one KMS solution to another. Here is how our Alliance Key Manager integrates with VMware to achieve high availability:

KMS Real Time Mirroring

Alliance Key Manager implements real-time, active-active key mirroring between a production and one or more high availability key servers. When VMware creates a new key on the KMS for an encrypted VM, that key is immediately mirrored by Alliance Key Manager to a high availability key server. Mirroring is done in real time so that you always have a KMS ready to take over. All transmission of encryption keys is performed over a TLS encrypted connection with mutual authentication, and you have the option to deploy a failover key server in a different vCenter environment.

vSphere KMS Cluster Configuration and Automatic KMS Failover

The purpose of the vSphere module called KMS Cluster is to define your key managers to VMware and to establish trust between vSphere and the key server. A KMS cluster is a list of key servers along with connection and credential information. Normally you would define two key servers in a KMS Cluster – one key server for production use and one key server for failover use. By default, the first entry in the KMS Cluster is the production key server, and failover key servers follow in the order that vSphere will use them. vSphere automatically connects to a failover key server in the event it cannot communicate with the production key server.

You are not limited to one KMS Cluster configuration. If you want to deploy a dedicated key manager for a particular customer you can create a new KMS Cluster configuration and define the dedicated key servers in this new configuration.

KMS Backup, Scheduled and On Demand

It is always a good idea to have a backup of your critical applications. Alliance Key Manager lets you define a schedule for automatic, secure backups. The backup server, usually a Linux instance running sFTP, can be located offsite.

Of course, you can always perform a manual backup on demand. This manual backup can go to a local directory on the key server and be downloaded by the administrator for secure offsite storage.

MSP Backup

Most MSPs offer a backup service to their end customers. Since Alliance Key Manager is a normal VMware virtual machine you can use your current backup strategy to back up the key server, too.

Disaster Recovery as a Service (DRaaS)

If you offer your customers a DRaaS service you can also offer them key management through the Townsend Security MSP partner program. You can deploy a key manager on the customer’s premises and mirror keys to your DRaaS service at your hosting site. 

VMware Monitoring

Lastly, we can’t forget that VMware offers a rich set of tools to monitor the health of VMs. You can use those tools to monitor the health of Alliance Key Manager, too. Your MSP license agreement allows you to install VMware Tools on the key manager server. 

In summary there are a number of layers of high availability built into the deployment of Alliance Key Manager. This will give you and your end customer a high level of confidence in the resilience of your encryption offering.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

We often get questions from MSPs about deploying our Alliance Key Manager solution across multiple vCenter nodes. Here is some good news for our MSP partners:

Multiple MSP Hosting or Cloud Locations

Many MSPs operate multiple regional hosting centers. Even small MSPs will typically have two locations in order to support high availability and backup. Each physical location will have one or more vCenter servers. Multiple vCenter clusters are not uncommon at a single data center location. Global MSPs often have to work within a country’s data sovereignty laws. This means a data center in each designated country. This increases the number of key management servers (KMSs) that must be deployed.

Production and High availability Key Servers

Under the Townsend Security MSP partner program, there are no licensing restrictions and you can run as many KMS servers as you wish. This typically means running two key servers in each vCenter environment – one for production and one for high availability (HA) failover. Since the MSP partner program involves a usage based cost model, you can deploy as many KMS servers as you need. You only pay for the encrypted VMs and vSAN directories regardless of physical location and number of key servers.

Customer Dedicated Key Servers

You may find the occasional customer who doesn’t want to share a key server with other customers. VMware makes this easy to accomplish. You can just create a new KMS Cluster definition and add the new production and failover key servers to this configuration. The start encryption of VMs and vSAN for that end customer using this new KMS Cluster configuration. Voila! Since there is no licensing cost for deploying key servers this is a cost effective way of meeting this customer requirement. You just report this customer’s encrypted VMs and vSAN directories during normal monthly reporting.

On-premise to Hosted or Cloud vCenter Nodes

If you are managing an end customer’s on-premise IT infrastructure, you can also deploy Alliance Key Manager on-premise and mirror to a hosted or cloud vCenter node. This is especially helpful to MSPs who are providing Disaster Recover as a Service (DRaas). The production environment can be in the end customer’s data center and you can mirror encryption keys to an Alliance Key Manager failover key server in your own environment. This helps achieve seamless failover for your customer.

Customer Dedicated vCenter Nodes

It is also not uncommon for an MSP to dedicate a vCenter server to a specific customer. That customer may have heightened security concerns, or may not want to share infrastructure with other customers. There may be corporate governance and security restrictions that require this. Again, MSPs only pay for the number of encrypted VMs and vSAN directories, regardless of the number of vCenter clusters and how they are used, and regardless of physical location.

In summary, we provide our MSP partners with all of the flexibility they need to support current customers and attract new customers. VMware encryption is a core security control that your customers demand, and you now have the tools to meet the need.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

In this blog series we’ve put the focus on the MSP’s challenges. Now let’s talk about how we at Townsend Security are helping meet those challenges.

Two years ago Townsend Security treated its MSP customers the way most legacy KMS vendors do. That is, we were a part of the problem. Thanks to the coaching and mentoring of some MSP leaders, we came to understand the need for a new approach, and we launched our MSP partner program. 

Key elements of our MSP partner program:

MSPs need confidence in the key management solutions they deploy. Townsend Security has been providing their Alliance Key Manager solution for VMWare for more than 10 years. Alliance Key Manager is certified by VMware for every release of vSphere and vSAN that support encryption, it is FIPS 140-2 compliant, and it is validated to PCI-DSS compliance.

The Townsend Security MSP partner program provides their key management server (KMS) to the MSP with no upfront license fees and no annual minimums. In fact, there is no perpetual or subscription license agreement at all, just a simple end user license agreement tailored for the MSP. The MSP gets training from Townsend Security and deploys the KMS into production. The cost of the solution is based on a low monthly charge per encrypted VM and vSAN directory. Just pay for what you use and nothing else. You can scale up and down your use of the KMS as needed. 

How many KMS servers can you deploy? As many as you want. You can share a KMS server across multiple customers, or deploy a dedicated KMS for a customer. You can deploy the KMS in your hosted environment, in the cloud (AWS, Azure, Google, IBM, etc.), and on the customer’s premises. No license or cost per KMS server, no restriction on the number of keys, no restriction on the number of encrypted VMs

Each month you will report the number of encrypted VMs and encrypted vSAN directories you are managing. Payment is also simple and is made electronically through ACH bank transfer, wire transfer, or credit card. 

Townsend security provides full 24/7 technical support for business interruption issues. There is no extra charge for software maintenance and support. 

It is not just all about technology. We also help you with marketing content, joint webinars, joint podcasts and security reviews. We understand that the typical MSP has a lot on their plate and does not need to spend time on deep security questions. We’ll help answer those tough customer questions about encryption and key management. 

We are committed to helping you be successful. We align with your business, service and revenue models. We will train your team. We will support your technical team. And we will help you with marketing support. Our goal is to lean in and help, and take risks with you. We want to be the KMS partner you’ve always wanted.

MSPs have told me that the current COVID crisis is impacting their business and revenue streams. They are losing some customers and revenue but are seeing increased demand from existing customers. Everyone seems to need more help from the experts. It’s a tough time for MSPs. Now is the time to migrate your existing KMS deployment to Alliance Key Manager and gain predictability and scalability in your KMS costs. It’s easy to do.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

MSPs fine tune their services to satisfy customers. You are the experts in configuring, deploying, monitoring and protecting the customer’s sensitive applications and digital assets. The services you offer are crucial to organizations large and small.

So why don’t MSPs lead by offering VMware encryption?

It often boils down to the Key Management Server (KMS).

KMS vendors by and large are stuck on old and costly licensing models. It is not uncommon to find legacy KMS vendors charging in excess of $200,000 for an initial deployment in an MSP’s infrastructure. On top of that there are often additional charges as you do more encryption, and annual maintenance and support fees. This represents a major upfront investment by the MSP with no guarantee of realizing a positive return on that investment. This KMS pricing and licensing model almost assuredly locks out a small to midsize MSP.

Then there is the complexity of most KMS systems. The MSP may have to invest a lot of time and resources in learning how to configure, deploy, and maintain the KMS. An MSP needs technology to be simple. Why? The complexity of end customer systems means that the average MSP has to know dozens or even hundreds of hardware and software application systems well. When you factor in PC, Server, Web, and Remote support, the MSP is responsible for a massive knowledge base and trained internal staff. A complex KMS system is just sand in the gears and another headache. It should be better, and it can be better. 

KMS deployments can also be complex and not match the MSP business model. It is not uncommon for MSPs to charge their end customers a monthly fee based on the number of VMs and vSAN directories under management. When a KMS system requires handholding for each end customer, and uses a legacy pricing model with annual minimum payments and commitments, it becomes a nightmare for the MSP to realize a gain on encryption.

For all of these reasons many MSPs avoid encryption. It is understandable. Here is what one MSP told me before they learned how we approach the KMS need:

“You said the magic words of MSP and Low cost, consumption based! We’ve struggled to find a KMS solution we can properly price and sell to our customers to do VM encryption. Solutions like XXXXXX are prohibitively expensive. Your low cost per encrypted VM per month is very reasonable. I’m glad those MSP’s helped you understand our market and that you were able to see the opportunity. You NEED to be marketing this. You’re solving a problem that MSP’s a) don’t think they can afford to fix, and b) are just ignoring the compliance of because it’s “too hard and too expensive.” I highly encourage you to get the word out through marketing to MSP’s. Thank you, Patrick. You made my day.”

Sound familiar?

In the next blog I will describe how we are solving the KMS headache for MSPs. Not only can we make life easier, encryption can be a profit center for you without tipping over your business or putting you at a competitive disadvantage.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

VMware has been very sensitive to the security needs of its Enterprise customers. They know that VMware infrastructure and applications are critical to an organization’s overall security. Network segmentation, access controls, monitoring and many other VMware applications help the MSP protect their customer’s applications and data. When it comes to encryption of sensitive data, VMware has your back, too!

Encryption of VMs was introduced with vSphere 6.5. With this version you could easily select VMs that you want to be encrypted, and quickly and easily start encryption. The MSP VMware administrator can easily see which VMs are encrypted and which were not. Of course, the architecture fit right into the normal VMware architecture. vCenter, vSphere, ESXi all come into play during the implementation and maintenance of the encrypted state of the VMs. A real bonus is that the performance of encrypted VMs is stellar. MSPs rarely need to add additional resources to implement encryption of VMs.

Encryption of vSAN was introduced in vSAN 6.6. The implementation of encryption support is quite different than encryption of VMs, but the encryption key management interface is exactly the same (more on that below). vSAN encryption has been a boon to MSPs. Typically the MSP has relied on storage hardware encryption which often is less expensive, but harder to manage. And encryption key management is generally weak in hardware solutions. Using vSAN lets the MSP integrate the rich set of VMware applications and security. With vSAN encryption you get a flexible place to store commercial and open source databases, big data repositories, and much more. All encrypted efficiently by VMware.

Some MSP customers want to implement TPM to protect their application OS images. Hardware based TPM has many disadvantages in a VMware environment. However, VMware now supports virtual TPM (vTPM) which is much more flexible and resilient in VMware infrastructure. And the good news is that vTPM handles key management in the same was as vSphere encryption of VMs and vSAN encryption of directories. A big plus!

With all of this great support for encryption, how do we properly manage encryption keys? This is a core requirement of compliance regulations and security best practices. VMware handles this well. The key management configuration is provided by the vSphere KMS Cluster configuration. With KMS Cluster configuration you can configure your key management interfaces one time and all of the VMware encryption applications use this definition. And more good news – the interface to key management systems is based on the open OASIS Key Management Interoperability Protocol (KMIP). This means that you have a lot of flexibility and choice in your acquisition and deployment of a KMS for your encryption deployment. (We will talk more about our Alliance Key Manager solution in a following blog).

Key management systems are inherently complex, and the KMIP protocol is also complex. As an MSP you don’t have to deal with this complexity, VMware handles all of the technical implementation. To help VMware customers and partners understand which KMS systems work well with VMware, they make available a certification program for KMS vendors. A KMS vendor who implements the KMIP standard (we are one) can certify their solution for use with VMware. This really sets VMware apart from many infrastructure platform providers. They have made the certification process easy for KMS vendors and publish the results. This means the MSP has an easy way to determine if a key management system is compatible and reliable.

All VMware releases that support encryption also support encryption key management in the same way. This consistency from one release to the next means no disruption to the MSP operating environment after an upgrade, and assurance of the MSP investment in internal training and KMS investments.

Version 7 of VMware now supports a new encryption security interface called Trusted Authority, or vTA. The previous encryption interfaces are still fully supported, but now you have a new option for encryption and key management. vTA offers slightly different architecture and a higher level of security that some organizations need.

All of these features that VMware has implemented make it easy for the MSP to provide encryption support to end customers. In the next blog we will talk about the challenges MSPs face and how to overcome them.

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

This is the first in a series of blogs on the topic of Managed Service Providers (MSPs) and VMware encryption. They are meant to be read in order as each blog topic builds on the previous topics, and leads to the next. 

As an MSP, I hope you will take this journey with me about VMware encryption, the technical and business challenges you are facing, how Townsend Security solves these challenges, and the surprising business benefit waiting for you when you offer your customers encryption under your MSP service umbrella. 

Here is the complete topic list:

1. Why do MSP customers want encryption of their VMs and vSAN (this blog)
2. What has VMware done to help with encryption security?
3. What are the biggest obstacles to offering VMware encryption to customers?
4. How does Townsend Security help an MSP overcome the KMS challenge?
5. KMS for multiple vCenter clusters and nodes
6. As an MSP how do I ensure high availability for encrypted VMs?
7. How can an MSP use encryption security to improve revenues and profitability?
8. Some common questions and how to get started with the Townsend Security MSP partner program

Customers of MSPs read almost daily about data breaches and ransomware attacks, and are rightly concerned about the security of their data under the control of the MSP. MSPs are usually the lead security provider for these customers and bring a great deal of expertise to the deployment of security solutions. Let’s explore the some of the concerns and motivations of the MSP end customer:

Regulations, regulations, and more regulations:

In addition to the fear of a data breach, customers are also concerned about regulations like the California Consumer Privacy Act (CCPA), the New York SHIELD Law, HIPAA, PCI-DSS, GDPR, and many others. No one wants to be subject to compliance actions and litigation due to a data breach. It is natural for a business or organization to turn to their MSP for assurance that their sensitive information is safe and security meets compliance regulations.

Business secrets and intellectual property:

In addition to the regulatory concerns, many small businesses and organizations are concerned about the compromise of business secrets and intellectual property. We now know that a number of state actors are aggressively attempting to steal this type of information. While business secrets and IP are a different category of sensitive information, the loss of this information can be devastating to a business or organization. It can take years to develop new ideas and move through the IP protection process. The compromise of this information can destroy the value of a company, and years of work by its employees and investors.

Reputational risk:

Lastly, the loss of any sensitive information can harm the reputation of an organization. If your value to an end customer involves managing aspects of their sensitive information, losing that information can cause irreparable damage to customer trust. We can all think of retailers, credit reporting agencies, government agencies, and many others who have had large data breaches. It affects consumer behavior and can exact a financial penalty for many years. No one wants to suffer reputational damage from a preventable data breach.

A data breach can be an existential event. According to Cybercrime Magazine about 60% of small companies close within 6 months of a data breach. This is an astoundingly high number. If you think about it, the surviving 40% of companies probably experienced a lot of distress recovering from the data breach. How much lost opportunity was there? 

For MSPs, the takeaway is that your customers are concerned about encryption to protect their sensitive data, business secrets, and look to you to provide solutions. How can MSPs turn that into actions that are based on security standards and which provide a justifiable business opportunity?

Stay tuned.

More Reading

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

Every now and then something completely unexpected happens that changes your life. No, I’m not talking about the COVID pandemic - that’s a completely different story. What happened for me is that in the course of my work in business development of our key management server (KMS), I met the CEOs of two different Managed Service Providers (MSPs) and they welcomed me into their world. With grace and patience, they helped me leave behind my preconceived notions about software sales and introduced me to how their world works. Neither of these two CEOs were obligated to mentor me and to give me their time, but I am so grateful that they did. It opened a new vision for me and our team here at Townsend Security.

If you work at an MSP firm, I hope you will read on. I will tell you how I turned my lessons into real benefits for the MSP.

Managed Service Providers are varied in what they do, but at the core of their business is the desire to provide IT expertise, hosting facilities, business continuity and disaster recovery, and lots of other IT services to small and large organizations. They do everything from fixing user PCs to deploying top-end servers, security, and cloud services. Expertise is at the core of the value they provide to organizations. During the COVID crisis, they are on the front lines of trying to help everyone migrate to work-from-home and they are trying to secure that environment.

They are just some of the quiet, hidden heroes who don masks and rush into data centers and offices to keep us all operational. They provide great value to organizations especially in the current crisis. These MSPs taught me about their business and about the difficulties they have with key management vendors. In a time when security is top of mind for their customers, they struggle with a KMS industry that is stuck in the past. We were definitely one of those. As we talked, the light came on for me. All of the problems they were having with KMS vendors were problems that we could solve! All it took was a commitment from us, and a change in our business practices.

Here are some things I learned from my MSP CEO mentors:

• Their businesses run on a usage-based model. For example, they might host a VMware environment for an end customer and charge them on the basis of the number of Virtual Machines (VMs) or vSAN storage they manage on a monthly basis. They provide immediate, on-going value to their customers and they prove their worth on a day-to-day basis.
• They deploy third-party software solutions to help them accomplish their mission. They prefer to use software solutions that match their business model. For example, some of the common backup solutions like Veeam can be deployed by MSPs on a per-month, per-VM basis. It’s great when an MSP can deploy these types of solutions on a usage basis. It is how they run their business and greatly reduces their risk. KMS vendors are not helping.
• MSPs live in a complex technical world, and they have special needs from their software vendors. They probably deal with more technical complexity than any other IT segment. Hardware, software, Windows, Linux, security, networking, cloud, smart phones – where does it end? This means they need software solutions that are easy to install, deploy, manage and report on.
• An MSP deals with a lot of software “vendors”. What they really need are software
  “partners”. A software vendor sees the MSP as a resource (money) extraction
  opportunity. A partner is someone who saddles up and goes into battle with you. With a partner, you will either win together or lose together. This is an incredibly important distinction to the MSP, and a really big challenge to the software vendor.
• The MSP needs more than a software solution from a partner. With all of the complexity of the services an MSP delivers, the MSP needs help from the software partner to sell the solution, to support the solution, and to be a trusted advisor. Can the software partner help with sales collateral? How about with joint sales calls? Can we do joint webinars and podcasts that help build confidence in customers and potential customers?

Here at Townsend Security we live in the world of data security. We have encryption and key management solutions to protect data at rest. We have a number of MSP customers. Before I had the conversation with our MSP mentors, we approached each of our MSP customers the way any legacy software company would. We offered the basic perpetual and subscription licenses. We have always been very price competitive, but it was basically a take-it-or-leave it approach. We charged for each key manager that we sold.
We were a perfect example of the “vendor” problem the MSP experiences. So, we set out on a journey to see if we could align our business with MSPs and become the “partner” they want and need. It meant changing a lot of our assumptions and business practices. You will know when you have a true partner when they lean in with their marketing and technical teams to make you successful. Our goal is to be that partner!
Here are some of the things we’ve done:

• Adopted a Pay-As-You-Go model for MSP partners. We now charge a very small monthly fee for each encrypted VM or database. Gone are the perpetual and annual subscription licenses. Scale up or scale down as you like. We get paid when you get paid. Full stop.
• Dropped all upfront fees or annual minimums. We are aiming for perfect cost and
  revenue predictability for your MSP business.
• Stopped counting the number of key management servers the MSP runs. The MSP
  deploys key servers in the way that makes sense. Multiple physical hosting sites, on-premise deployments, Disaster Recovery as a Service (DRaaS), encrypted storage? We don’t care, we are all in.
• We trust the MSP to deliver their services and expertise on their hosting or cloud
  platform, and on their customer’s premises. MSPs conduct their businesses in a variety of ways. If we achieve true partner status you will feel that we are fully behind you and support you and take the risks with you.
• We train the MSP on how to deploy our solution. We have video, on-line
  documentation, and one-on-one training to help you get up and running quickly. We don’t charge for training; we just lean in to help you get the job done.
• We support the MSP with 24/7/365 business interruption support program at no extra charge. Support is built right into the low monthly fee.
• Provide sales support by doing joint customer calls, answering security questions, and providing guidance on meeting compliance regulations. We don’t charge for helping you close a sale; we will win the deal together.
• Provide sales collateral that includes sell sheets, educational material, joint webinars and podcasts, and much more. We don’t charge for sales and marketing collateral.

I feel like I’ve been on a fast learning track and have gained some great new friends. They are sharing with us what they need, and we are leaning in to help them be successful. It is an immensely rewarding experience.

Here is what one of our MSP customers said:

“You said the magic words of MSP and Low cost, consumption based! We’ve struggled to find a KMS solution we can properly price and sell to our customers to do VM encryption. Solutions like XXXXXX are prohibitively expensive. Your low cost per encrypted VM per month is very reasonable. I’m glad those MSP’s helped you understand our market and that you were able to see the opportunity. You NEED to be marketing this. You’re solving a problem that MSP’s a) don’t think they can afford to fix, and b) are just ignoring the compliance of because it’s “too hard and too expensive.” I highly encourage you to get the word out through marketing to MSP’s. Thank you, Patrick. You made my day.”

If you are an MSP we would like to “make your day.” You can start your journey here. 

Evaluations of our Alliance Key Manager are available at no charge. We provide technical
support through the evaluation at no charge. Let’s do this together!

Patrick

With simplified usage-based licensing with no upfront fees, no annual minimums, and built-in support, VMware Cloud Providers and MSPs can offer customers better security with encryption and key management at a lower cost.

Townsend Security today announced new flexible licensing of Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS) to VMware Cloud Providers and MSPs. The new program allows these businesses to offer better security with encryption and VMware-certified key management at a lower cost, while maintaining their current pay-per-use and pay-as-you-go business model.

VMware Cloud Providers and MSPs need to help their customers achieve encryption of VMs and vSAN storage to meet compliance requirements and new regulations like GDPR and CCPA. However, typical commercial KMS solutions are expensive, hard to maintain, and have complex licensing requirements. Legacy KMS systems create a business problem for VMware partners who are trying to grow their business, compete with large Cloud Service Providers (CSPs), and don’t match the VMware partner’s business model. Townsend Security has addressed all of these obstacles with their new program for VMware Cloud Providers and MSPs.

The new program offered by Townsend Security allows VMware Cloud Providers and MSPs the ability to encrypt VMs and vSAN with FIPS 140-2 and KMIP compliant Alliance Key Manager. The solution is easy to install, configure, and deploy. Once deployed it requires no routine maintenance and partners have total flexibility in how and where they deploy the KMS system to help their customers. Crucially, the  new Townsend Security program will match the VMware Cloud Provider’s business model eliminating KMS licensing headaches, unmanageable reporting requirements, and unreliable KMS high availability implementations.

“Many VMware Cloud Providers and MSPs provide usage-based deployments for their end customers. Alliance Key Manager fits seamlessly into their business strategy to match the way they do business,” said Patrick Townsend, Founder & CEO of Townsend Security. “With Alliance Key Manager, you will never have up-front fees, annual minimums, complex software maintenance contracts, or restrictions on how you do business. Our partners are empowered to grow their business without concerns about how to allocate KMS costs. Predictable SaaS usage-based pricing makes it easy to sell, implement, and support end customers and their security needs - and an additional benefit is the incremental revenue and positive impact on margins.”

Once enrolled in Townsend Security’s new VMware Cloud Provider and MSP program, the company will assign training and support resources to help partners get started. There is no charge for training and Townsend Security’s technical support team is available for 24/7 business interruption support. 

Visit www.townsendsecurity.com/msp to learn more about Townsend Security’s new VMware Cloud Provider and MSP partner program.

VMware has become the most trusted name in on-premise computing infrastructure. Because of its ease of use and administration, reliability and security, VMware is able to provide exceptional services to small and large organizations alike. As these organizations move to the cloud, VMware hosting partners and managed service providers (MSPs) are able to service this market by providing off-premise deployments of VMware and an extensive array of VMware management and administrative services. For more information on how VMware hosting providers can better secure customer data, check out our "Definitive Guide - Encryption Key Management for VMware Cloud Providers" page.

I recently sat down with Patrick Townsend, Founder and CEO of Townsend Security, to talk about how Townsend Security is helping VMware hosting providers meet the challenge of encryption and encryption key management, while supporting the usage-based business model core to many of these hosting providers.  Additionally, Patrick discussed VMware architecture, VMware security, delivering compelling hosting & services, and compliance, standards, and encryption.

Hi Patrick. In recent years VMware has embraced the movement to the cloud with key partnerships with leading cloud service providers. What is less well known is that VMware has spawned and supports a broad set of hosting providers that serve local and regional markets. These VMware hosting providers also provide the expertise and managed services that many large cloud providers do not.

There are a fair number of VMware hosting providers and MSPs now with their own hosted, or cloud, platforms who are running VMware full stack implementations for their customers. Customers now have many options for managing their VMware infrastructure on premise or at a VMware hosting provider data center.  Many of these customers maintain both on-premise and hosted environments to meet their customers’ business needs. The VMware ecosystem is growing and resilient, and an important part of the IT services landscape.

Security has got to be essential for these hosting providers and MSPs. What do you think they are doing well and where could they use a little help?

Well, security is a core focus of VMware applications, and the security features have had a lot of time to mature. For example, VMware now offers encryption in several of their products. However, the deployment of proper encryption relies on support from third party KMS vendors. Realizing the importance of key management, VMware adopted the Key Management Interoperability Protocol (KMIP) standard, which allows vendors like Townsend Security to provide key management solutions that allow businesses to store and manage their encryption keys through their entire lifecycle.

Townsend Security is proud to help VMware hosting providers and MSPs implement encryption and do it the right way that matches their business model.

So, let’s spend a minute and discuss delivering compelling hosting and services.

VMware hosting providers and MSPs are rapidly changing the way that VMware customers are managing their IT infrastructure. These VMware partners are filling a services and support gap left by typical, large cloud service providers. Hosted VMware infrastructure, Disaster Recovery as a Service (DRaaS), automated backup and recovery, and expertise on demand provide compelling value to VMware end customers. Amazingly, many of these VMware hosting partners are providing a far more affordable solution than large Cloud Service Providers. Townsend Security’s Alliance Key Manager is filling the KMS gap for VMware hosting providers and MSPs by providing an Enterprise KMS system that matches the way they do business. Gone are the complexities of sourcing, deploying, licensing and administering a KMS for the VMware environment. Townsend Security empowers the VMware hosting provider with on-premise and customer premise solutions for every VMware KMS need.

There are a few strategies that these hosting providers and MSPs can use to secure customer data in VMware environments.  For example, data can still reside on-premises or in the cloud and be encrypted in VMs or in vSAN, or even through Virtual Trusted Platform Module (vTPM).  First, let’s cover On-Prem and the Cloud. 

Sure. Many VMware hosting providers and MSPs often are the experts who manage a customer’s on-premise VMware infrastructure. If you don’t have in-house expertise these partners can step up to help you. This means that the same security tools that are used at the hosting site need to be available at the customer site. This is a core part of the value that a VMware hosting provider and MSP provides to their customers - run VMware on-premise, on their cloud, or combine the two. Some VMware MSPs provide expertise and services to help their customers move to one of the larger cloud platforms. 

If you are a VMware hosting provider and you provide this type of service to help customers move to Microsoft Azure VMware Solution, Google VMware Cloud Engine, or IBM Cloud for VMware, or other full-stack VMware cloud service, we can help you with your KMS needs in the same way. 

Let’s circle back to how data is being encrypted in VMware

As a VMware hosting provider or MSP, you are able to quickly and easily deploy encryption of VMs for your customers with vSphere encryption. It is important to not forget about also deploying a KMS. The second most popular encryption option in a VMware environment is the encryption of vSAN virtual directories. The VMware architecture for key management for vSAN is the same vSphere KMS cluster configuration used for encrypting VMs. Encryption of vSAN storage is one of the great ways to protect databases in the VMware infrastructure. It can be expensive to upgrade Oracle, SQL Server or MongoDB to get encryption support, but you can easily provide encryption at rest by deploying these databases on encrypted vSAN storage at a fraction of the cost of an upgrade. And you can do encryption at rest for open source databases that do not directly implement encryption or proper key management. This includes MariaDB, PostgreSQL, SQLite and others.

Another option is to use OS encryption through the virtual trusted platform module (vTPM), right?

The Trusted Platform Module (TPM) chip is implemented on many Intel architecture servers and provides an additional level of encryption key protection in traditional server environments. Unfortunately, the TPM architecture works poorly in a VMware environment where workloads can move and migrate between servers. Thankfully, VMware came to the rescue with Virtual TPM (vTPM)!  By installing the appropriate vTPM drivers from VMware you can achieve TPM security that works natively with your VMware platform. vTPM also leverages the same vSphere KMS interface, so encryption and proper key management are easy to deploy.

How is Townsend Security helping VMware hosting providers and MSPs with encryption and key management? 

Townsend Security has been a VMware partner for many years.  Our KMS, Alliance Key Manager, is certified by VMware on all releases of vSphere and vSAN that support encryption. At Townsend Security we have worked hard to create a hosting provider/MSP program that takes the pain out of a KMS partnership. Most notably, if you provide VMware hosting services on a usage-based model, we will help you deliver a KMS for encrypted VMs and vSAN with the same model. For example, if you are charging your customers per virtual machine or per main memory, depending on how much you use, we will snap right in to your environment and help you deliver encryption of VMs and vSAN in the same way.We do this with no upfront fees, no annual license charges or separate maintenance fees, we just make it really simple to deploy and use for the VMware hosting provider.

Is there anything else that you would like to share about your partner program?

First, it is very easy and simple to get started with our partner program.  Just visit www.townsendsecurity.com/msp. If you are interested in more information, there is a short form to fill out. We make it extremely cost effective for hosting providers to deploy encryption and key management for their customers.  I’d also like to mention that our KMS is certified for every version of vSphere and vSAN that support encryption, is validated for PCI-DSS compliance, and has been through a FIPS 140-2 validation.

You can actually download Alliance Key Manager for VMware directly from our website and immediately load it into VMware.  We also have our support team ready to help you get deployed - without a charge. It just takes minutes. We are proud to have lowered the barrier to entry and administrative overhead typically associated with encryption key management - which makes it easier than ever for VMware hosting providers and MSPs to offer better security to their customers.

To hear this conversation in its entirety, download the podcast “Delivering Secure VMware Hosting with Encryption & Key Management” to hear Patrick Townsend, Founder and CEO, further discuss VMware architecture, VMware security, delivering compelling hosting & services, and compliance, standards, and encryption.