This blog is an excerpt from the white paper Delivering Secure VMware Hosting with Encryption & Key Management.

VMware is the most trusted name in on-premise computing infrastructure. Its ease of use and administration, reliability and security provide exceptional services to small and large organizations alike. As organizations move to the cloud, there are now a large number of VMware hosting partners and managed service providers (MSPs) who provide off-premise deployments of VMware and an extensive array of VMware management and administrative services. This white paper discusses how Townsend Security is helping VMware hosting providers meet the challenge of encryption and encryption key management, while supporting the usage-based business model core to many of these hosting providers.

VMware Architecture and Benefits

The benefits of VMware in the data center are now well recognized. Reduction in hardware and utility costs, reduction in administrative costs, improvement in managing ever-changing workloads, resilience and business continuity, and exceptional security are just some of the primary benefits. This is why VMware is the leading infrastructure virtualization technology on a global basis.

In recent years VMware has embraced the movement to the cloud with key partnerships with leading cloud service providers. What is less well known is that VMware has spawned and supports a broad set of hosting providers that serve local and regional markets. These VMware hosting providers also provide the expertise and managed services that many large cloud providers do not. 

The growth of the VMware hosting provider eco-system provides important support for VMware customers. Customers now have many options for managing their VMware infrastructure on premise or at a VMware hosting provider data center. Many customers maintain both on-premise and hosted environments to meet their business needs. The VMware eco-system is growing and resilient, and an important part of the IT services landscape.

VMware and Security

While VMware has always been a leader in IT security, the company recognized the importance of encryption and proper encryption key management to meet security best practices and evolving compliance regulations. In 2016 VMware released version 6.5 of vSphere which enabled built-in support for encryption of virtual machines (VMs) and virtual storage (vSAN). In any encryption strategy, it is important to protect the encryption keys using a purpose-built key management security system that secures the keys away from the protected information. The VMware security architecture integrates with a key management server (KMS) to protect the encryption keys that are used by ESXi and vSAN. The interface between vSphere and the key management server is based on the Key Management Interoperability Protocol (KMIP), an open standard for KMS systems. 

In vSphere the administrator defines a primary key manager and one or more failover key managers using the KMS Cluster module. vSphere manages the failover to a backup key server in the event the primary key server is not available. This also enables failover to a disaster recovery VMware node in an automatic fashion. The result is a robust implementation of encryption with key management based on the open OASIS KMIP standard and deployed in a highly resilient fashion.

VMware Hosting and MSP Partners

VMware hosting partners and MSPs are called on to deploy proper security in the VMware infrastructure. Security is largely provided by native VMware applications such as NSX and others. However, the deployment of a key management system depends on support from third party KMS vendors. Townsend Security is one of those vendors with its Alliance Key Manager solution.

Unfortunately, most enterprise KMS systems are expensive, difficult to deploy, lack needed failover reliability, and have complex licensing and management requirements. Many VMware hosting providers provide their infrastructure and services on a usage-based model. Enterprise KMS systems generally do not fit this delivery, reporting and billing model.

Townsend Security is solving this problem by providing its Alliance Key Manager solution on a usage basis. VMware hosting providers will benefit from the Townsend model as it matches their business delivery model and makes KMS affordable to their end customers. When your encryption key management strategy lines up with your business model you are able to manage your growth in a predictable way.

Delivering Compelling Hosting and Services

VMware hosting providers and MSPs are rapidly changing the way that VMware customers are managing their IT infrastructure. These VMware partners are filling a services and support gap left by typical, large cloud service providers. Hosted VMware infrastructure, Disaster Recovery as a Service (DRaaS), automated backup and recovery, and expertise on demand provide compelling value to VMware end customers. 

Townsend Security’s Alliance Key Manager is filling the KMS gap for VMware hosting providers and MSPs by providing an Enterprise KMS system that matches the way they do business. Gone are the complexities of sourcing, deploying, licensing and administering a KMS for the VMware environment. Townsend Security empowers the VMware hosting provider with on-premise and customer premise solutions for every VMware KMS need.

Data security compliance requirements and corporate security initiatives continue to drive the adoption of encryption and key management to protect private information - ranging from customer information to electronic protected health information (ePHI) to a company’s intellectual property (IP). Deploying encryption naturally means properly protecting encryption keys, which historically has been the biggest challenge that organizations face with their encryption strategy. As such, it is far too common to see businesses not properly storing their encryption keys - for example, keeping them in a database in the clear or even burned into their application’s code.

Fortunately, encryption key management solutions are more affordable and easier than ever, however, not all solutions are created equal. Standards such as FIPS 140-2 remain, but what does that mean in a virtual environment? Additionally, we are seeing all the major cloud service providers (CSPs) offer encryption key management as a service, but there are several fundamental reasons enterprises are hesitant to adopt them.

I recently sat down with Patrick Townsend, Founder and CEO, to discuss the current state of encryption key management, databases/applications that natively provide encryption and key manager integrations, and questions to ask your key management vendor. 

Hi Patrick. Let’s just take a minute and acknowledge how far encryption key management has come.

It is incredible how far encryption key management has come over the last 15 years. As I think back to when we started this journey, it was a very different environment. One of the motivating factors for us to get in the key management game was that key management systems used to be terribly expensive and complex - and usually involved a team of expensive consultants to deploy. Early on, I even had a key management system (KMS) vendor tell me that they didn’t want to do a deal under $10 million - and that just isn’t going to work for smaller companies. This just really influenced how we got started. Companies of all sizes deserve to have good encryption and key management as part of their defense in depth security strategy. I am very proud of our team for creating a key management solution that has been FIPS 140-2 validated and affordable to the small and medium sized enterprises who need to protect their employees and customers without having to pay for every database, connection, or encryption key. We have now passed the 10 year mark with Alliance Key Manager. While it was first introduced as a physical hardware security module (HSM), we have added VMware and cloud platforms (AWS and Microsoft Azure) - and starting at $4,800 is affordable to every customer. I am proud that we have played a part in making encryption key management affordable to businesses of all sizes.

Speaking of cost, could you imagine if deployments were still $10 million?

It really is incredible. If that were still the cost, small and medium sized businesses would be priced out of the market - and their data a lot more vulnerable. With that said, it still amazes me how much KMS vendors are still charging for some of their solutions. Recently we had a prospective customer forward us a quote from another KMS vendor and it was astonishing. The customer was trying to protect 12 Microsoft SQL Server databases and the quote was for $194,000! And that was just the start. As the customer adds additional databases in their environment, there is going to be more and more cost as they go forward. For the same hardware-based HSM solution, we would charge $36,000 for two HSMs and save the customer $158,000! Alternatively, we even could offer VMware or cloud instances that would have been even less expensive.

As a company, we are passionate about keeping a low and predictable total cost of ownership (TCO). You shouldn’t have to go back to your key management vendor every time you want to add a database or encrypt something in a new environment. This model of pricing can add up very quickly. We offer a simple pricing structure - license the KMS, pay annual maintenance, and use the key manager to protect as much data as you’d like. From my point of view, there is no justification for a pricing strategy that penalizes businesses for doing more security.

Aside from cost and ease of deployment, there really has been a growing awareness on the importance of key management. 10 years ago when you first started, small and medium sized businesses didn’t even know what key management was.

Certainly. Key management is the cornerstone of an encryption strategy. If you are doing encryption, you must protect encryption keys. In fact, key management is starting to show up in regulatory compliance requirements. For example, if you look at the California Consumer Privacy Act (CCPA), you will find proper key management called out as being core to protecting data. If you are not using key management, you are NOT adequately protecting your encryption keys and you lose some of the protections under the CCPA.

As businesses deploy modern key management solutions, they need to make sure the key manager has been FIPS 140-2 validated and is key management interoperability protocol (KMIP) compliant. The industry as a whole is still catching up to these standards. For example, with AWS KMS or Azure Key Vault, businesses do not have industry standards based interfaces for key management. Rather than using the KMIP standard, they are requiring customers to use their proprietary interface. Standards, like KMIP, are incredibly important when it comes to reducing your cost of encryption in the long run. Fortunately, we are seeing most major database and application vendors adopting the KMIP standard and natively supporting encryption, leaving the key management to the user.

Also, it is still the wild west out there in regards to some KMS vendors. I think people should avoid solutions that require external, third party hardware modules to back up the key manager. That is completely unnecessary. There are open source solutions that provide vaults that are not FIPS 140-2 compliant unless they are backed up by an HSM.

Again, key management is core to a security strategy and really has come a long way since the early days. It now takes a few minutes to get a KMS up and running, you don’t need outside consultants or someone to come on site, and most of the time doesn’t take any paid services!

You mentioned KMIP. It has been great to see more databases and applications adopt the standard.

That’s right. Encryption usually doesn’t require application changes anymore - it has become a non-technical exercise. KMIP has fundamentally changed the way businesses deploy encryption and key management. For example, we have seen databases like MongoDB and MySQL and VMware’s vSphere and vSAN support KMIP. Let’s take a look at MongoDB. MongoDB Enterprise includes 256-bit AES encryption built into the database. Knowing the importance of key management, they built in support for KMS vendors with the KMIP standard. Now their users can seamlessly encrypt data and easily manage the encryption keys separate from the data that they protect.

KMIP really has been a game changer for the key management industry and really underscores the importance of basing solutions on industry standards. Unfortunately, it isn’t everywhere - yet. Typically, KMIP is reserved for Enterprise versions of databases. With that said, there are still options for shops running “Standard” or “Community” versions.

There are. Chances are that these shops are running a version of VMware that supports vSphere and vSAN encryption. By deploying “Standard” versions of databases directly in vSAN, they can utilize the encryption and key management options already included in their VMware products. Furthermore, VMware has developed excellent guidance that is available on their website on how to install databases into an encrypted vSAN. If you are an Oracle customer, for example, and feel like you can’t afford the expense of upgrading to Oracle Enterprise with Advanced Security in order to get encryption, VMware has your back. By doing this, businesses can affordably meet regulatory compliance and protect their sensitive data. Same is true for other databases.

Let’s keep talking about compliance. Compliance has been a major driving force for organizations adopting encryption key management.

Yes. Businesses of all sizes and industries fall under a variety of compliance regulations. If you take credit cards, you fall under PCI DSS. If you are a covered entity in the medical segment you fall under HIPAA. California recently passed the California Consumer Privacy Act (CCPA) which has reach far beyond the borders of California. It is important to note that CCPA also requires proper key management. Storing encryption keys next to the secured data provides you no protection from data breach notification and class action lawsuits. You have to get key management right. 

Regulations certainly are one major factor driving the uptake in encryption. Over time, we have seen regulations evolve and encryption keeps getting more embedded in these regulations and is recognized as a core part of a defense in depth strategy. With that said, compliance isn’t the only reason a company deploys encryption and key management. We regularly talk with customers concerned with reputation, protection of intellectual property (IP), or a host of other reasons.

For businesses who haven’t deployed encryption key management yet, what are some questions that they should ask vendors?

There are definitely some baseline qualifiers here. Look for a FIPS 140-2 validation. Has the solution ever been validated by the National Institute of Standard and Technology (NIST)? Some key management vendors out there will say they are compliant and unable to prove it because they have never received a formal validation. It is important to ask for their certificate number. Don’t accept a third-party letter saying that the solution is compliant. There is no substitute for a NIST validation. They aren’t cheap or easy, which is a major differentiator between the good and not-so-good key management vendors.

As discussed earlier, good key management systems will adopt the KMIP interface. You should easily be able to use your key management solution seamlessly with the growing number of databases and applications that support KMIP.

Who has administrative access to the keys? Do you have exclusive control or is access shared with a cloud service provider (CSP) or key management vendor? Most of the CSP key management offerings are in shared environments - both you and your CSP have access to your keys. Also a consideration, are you OK with CSP lock-in? Most businesses today are trying to achieve a cloud-neutral implementation and you don’t want your key management solution to defeat that effort.

I think that these are the topics that should be top of mind for businesses as they move through their cloud encryption strategy and think about key management.

Is there anything that you would like to share about Townsend Security’s Alliance Key Manager that you haven’t mentioned yet?

Alliance Key Manager comes along with a wide variety of client applications and SDKs - at no charge - to help you secure databases and applications like VMware, Microsoft SQL Server, MongoDB, MySQL and others. As I mentioned earlier, it is cost effective and affordable to organizations of all sizes. I think that our key manager is the most cost-effective, standards-based solution in the market. By offering the key manager on multiple platforms, which are all cross-compatible, businesses have a variety of options for their encryption strategy that are easy to deploy.

The last thing that I would like to point out is that our solution is very partner friendly. Alliance Key Manager is embedded in many ISV environments and products. We have flexible programs that allow our partners to get encryption right by embedding key management into their solution.

To hear this conversation in its entirety, download the podcast “State of Encryption Key Management - 2020” to hear Patrick Townsend, Founder and CEO, further discuss the latest trends and perspectives around encryption key management and how to better protect your data.

We are all working from home now. At least, in the technology world that seems to be true. What does this mean from a security standpoint? Here are a few thoughts:

Technology workers (programmers, project managers, customer support staff, pre-sales engineers, etc.) are generally pretty comfortable with remote work. This is the result of a multi-year trend driven by talent shortages, distributed organizations, and out-sourcing. However, traditional finance and administrative workers tend to be more office-centric. They are rapidly adjusting to working at home and figuring out how to balance work in a home environment. Kids in your space? Yup, it’s a big adjustment for everyone when you suddenly move from office to home.

With COVID-19, we are doing work-from-home to better protect our colleagues, our families, and our friends and community. It is critical that we do physical distancing and get it right. It is truly a matter of life and death. 

I believe that there are security implications to this change, too. Corporate systems are at more risk. 

When we move workers from the office to home, we expand the attack surface. Our home PCs and networks have probably not had the same security scrutiny that office systems have. But those home PCs now have access to the corporate network. There is a lot of use of VPN, Remote Desktop Protocol (RDP), and terminal emulators like GoToMyPC to get connectivity. I think in a lot of cases the security exposure has increased as we deal with the COVID-19 pandemic. 

We need to take this expanded threat to our corporate systems seriously. Cybercriminals will happily use any new weakness to access our sensitive data. It may be a lot easier to break into your home network and jump to the corporate network.  Here are some things you can do right away:

• Start reviewing home PCs and networks like you would internal systems. And start with your system and network administrators. They often hold highly authorized credentials. Create a special team to get this done as quickly as possible. 
• Make a prioritized list of your application databases that hold sensitive data. Or, if you have the list, do a quick review and update as needed. You probably have some databases that are easy to protect with encryption and good encryption key management.
• These databases are fast and easy to protect: Microsoft SQL Server (TDE), MySQL, MongoDB, and Oracle Database. You can get these common databases under encryption protection very quickly. 
• Do you use VMware for your IT infrastructure? You probably do. It is very fast and easy to implement encryption of VMs and vSAN. This is a fast and easy win.
• Get management buy-in. We all know that we have an emergency on our hands. Enlightened management will get on board quickly. They are going to have to approve new human resource assignments and some new budget. 

We are in uncharted territory with COVID-19. Here at Townsend Security we are committed to helping you survive this challenge. We will help you get the data security you need. Just talk to us.

Patrick

Which Encryption Option Should you Choose, vSphere VM or vSAN?

Data security is paramount for sensitive data-at-rest. Fortunately, protecting your data in VMware is relatively easy with the introduction of vSphere VM encryption in version 6.5 and vSAN encryption in version 6.6. Even better, for most folks, you won’t have to choose between each option, you will likely use both as needed. That said, there are some times when you might prefer one over the other. With that in mind, here are some of the features for each and how they are the same/different.

One of the most clear cut cases on preferring one encryption option or the other is in a multi-tenant situation. VMware gives these examples:

Engineering and Finance may have their own key managers and would require their VM's to be encrypted by their respective KMS. Or maybe your company has been merged with another company, each with their own KMS. Additionally, you may have a "Coke & Pepsi" scenario of two unrelated tenants. VM Encryption can handle this use case using the API or PowerCLI Modules for VM Encryption.

Since each VM is encrypted by a different key, vSphere VM encryption may be better suited for multi-tenant situations. In this way, not only will each tenant be assured that their sensitive data is not commingled with other tenants data (separate VMs), but their data is protected by separate keys.

Beyond that, VMware notes that “vSAN has unique capabilities for some workloads and may perform better in those situations.” So, if you are protecting larger datastores with a single tenant, vSAN would be your best option.

With these distinctions in mind, here is the best news: They are equally easy to set up! We have put together two videos to highlight the steps to get encryption enabled in each environment:

vSphere VM Encryption

For a more detailed look at vSphere VM encryption, please visit our post: vSphere Encryption—Creating a Unified Encryption Strategy. Here is a partial list of steps for enabling vSphere VM encryption:

• First, install and configure your KMIP compliant key management server, such as our Alliance Key Manager, and register it to the vSphere KMS Cluster.
• Next, you must set up the key management server (KMS) cluster.
• When you add a KMS cluster, vCenter will prompt you to make it the default. vCenter will provision the encryption keys from the cluster you designate as the default.
• Then, when encrypting, the ESXi host generates internal 256-bit (XTS-AES-256) DEKs to encrypt the VMs, files, and disks.
• The vCenter Server then requests a key from Alliance Key Manager. This key is used as the KEK.
• ESXi then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk along with the KEK ID.
• The KEK is safely stored in Alliance Key Manager. ESXi never stores the KEK on disk. Instead, vCenter Server stores the KEK ID for future reference. This way, your encrypted data stays safe even if you lose a backup or a hacker accesses your VMware environment.

vSAN Encryption

For a more detailed look at vSAN encryption, please visit our post: vSAN Encryption: Locking your vSAN Down. Here is a partial list of steps for enabling vSAN encryption:

• First, install and configure your key management server, or KMS, (such as our Alliance Key Manager) and add its network address and port information to the vCenter KMS Cluster.
• Then, you will need to set up a domain of trust between vCenter Server, your KMS, and your vSAN host.
• You will do this by exchanging administrative certificates between your KMS and vCenter Server to establish trust.
• Then, vCenter Server will pass the KMS connection data to the vSAN host.
• From there, the vSAN host will only request keys from that trusted KMS.
• The ESXi host generates internal keys to encrypt each disk, generating a new key for each disk. These are known as the data encryption keys, or DEKs.
• The vCenter Server then requests a key from the KMS. This key is used by the ESXi host as the key encryption key, or KEK.
• The ESXi host then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk.
• The KEK is safely stored separately from the data and DEK in the KMS.
• Additionally, the KMS also creates a host encryption key, or HEK, for encrypting core dumps. The HEK is managed within the KMS to ensure you can secure the core dump and manage who can access the data.

Final Thoughts

vSphere VM and vSAN encryption for data-at-rest is a powerful tool in protecting your sensitive data - for both companies and VMware Cloud Providers. It is standards-based, policy-based, and KMIP compliant. This makes it both powerful and easy to enable. While each has different strengths that make them a better choice in some situations; most of the time, it will just come down to needing to either secure data in a VM or vSAN datastore.

If you have sensitive data in VMware and are not encrypting, enable encryption today! We are happy to help.

Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager, is now available free of charge to Microsoft MVPs and AWS Heroes.

Townsend Security today announced that it is extending free Not for Resale (NFR) licenses to Microsoft MVPs and AWS Heroes for Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS). The NFR licenses are available for non-production use only, including educational, lab testing, evaluation, training, and demonstration purposes. NFR Licenses are available here.

Joining VMware vExperts in Townsend Security’s successful NFR program, Microsoft MVPs and AWS Heroes can protect databases, applications, and VMware images with a secure and compliant key management server (KMS). Additionally, the solution allows businesses to properly encrypt private data without modifying their business applications. Alliance Key Manager supports the OASIS Key Management Interoperability Protocol (KMIP) and Microsoft’s Extensible Key Management (EKM) found in SQL Server Enterprise 2008+ and SQL Server Standard 2019+. The solution is available as a VMware Virtual Machine or in the cloud (AWS, Microsoft Azure).

Additionally, Townsend Security provides Alliance Key Manager users with a wide range of ready-to-use security applications, SDKs, and sample code. With over 3,000 users worldwide, the solution is helping businesses achieve their security and efficiency goals in cloud and VMware environments.

“Protecting sensitive data continues to be a critical concern in IT, and an important part of both security and compliance efforts,” said Patrick Townsend, CEO of Townsend Security. “After launching with VMware vExperts, we are excited to extend the program to Microsoft MVPs and AWS Heroes. I believe they will be pleased to see how fast and easy encryption key management has become.”

Microsoft MVPs and AWS Heroes can request an NFR license of Alliance Key Manager here.

I am often asked about public cloud provider encryption key services like AWS KMS and Azure Key Vault. There are substantial differences between an Enterprise Key Management System (we have one) and the key services provided by Amazon and Microsoft (and Google has one, too). Enterprise Key Management Systems provide dedicated, full lifecycle key management under your exclusive control. Cloud key services provide a small subset of encryption key management support, in a non-dedicated, multi-tenant, shared environment. 

Perhaps the best way to show the differences is in a side-by-side table comparing our Alliance Key Manager for AWS and Azure, and Cloud Service Provider (CSP) key services:

Microsoft handed everyone a big gift with SQL Server Standard Edition 2019. The Standard edition of SQL Server did not previously support encryption. Surprise! Now it does. Prior to this new version, SQL Server Standard customers had to upgrade to the Enterprise Edition, or install a third party encryption solution. Upgrading to the Enterprise Edition was expensive for many small to midsize Microsoft customers, so bringing encryption to Standard Edition with 2019 is a big deal.

Let’s take a dive into SQL Server Standard Edition 2019 and the encryption support:

How Encryption is Implemented

Microsoft implemented encryption in Standard Edition by bringing the EKM Provider architecture from the Enterprise Edition to the Standard Edition. This means that Standard Edition users have access to the same encryption and key management capabilities that are available in the Enterprise Edition. This is great news for Microsoft customers as most are running both Standard Edition and Enterprise Edition in their IT infrastructure. You can now deploy the same encryption and key management solution across your Standard Edition and Enterprise Edition databases. If you are using Transparent Data Encryption (TDE) in the Enterprise Edition, you can now do the same thing in Standard Edition.

Earlier Versions of Standard Edition and Upgrades

The new encryption capability for Standard Edition is only in the 2019 release (version 15.x). Earlier versions of SQL Server Standard Edition will not be upgraded to support encryption. To take advantage of encryption in Standard Edition you have to upgrade to the 2019 release. You do NOT have to upgrade to the Enterprise Edition!

Encryption Key Management

How you manage encryption keys is crucial to your encryption strategy. SQL Server provides you with two key management options:

• Locally stored on SQL Server
• Deployment of a key management server through the EKM Provider interface

The only secure way to manage your encryption keys is through the use of a key management system that is registered and accessed through the EKM Provider interface. Our Alliance Key Manager for SQL Server solution implements support for the EKM Provider interface and provides you with all of the software you need to protect SQL Server encryption keys.

Compliance Regulations

Many Microsoft customers are rushing to implement encryption in order to meet the new California Consumer Privacy Act (CCPA) requirements. Your only protection from class action lawsuits in the event of a breach is through encryption of sensitive data, and proper protection of encryption keys. Storing encryption keys on the same server as the protected data will NOT provide you with CCPA protections. See California law AB 1130 for more information about encryption key management and data breaches.

Cloud Considerations

It is very common to deploy SQL Server Standard Edition in a virtual machine on a cloud platform. You can easily do this on Microsoft Azure and Amazon Web Services (AWS). When you deploy SQL Server Standard Edition 2019 in the cloud you have full access to the encryption key management using the EKM Provider interface. Be aware that many cloud service provider database services (AWS RDS, Azure SQL, etc.) do not support the EKM Provider interface and limit your ability to deploy key management. If you are concerned about cloud independence be sure to avoid these types of Database-as-a-Service offerings. 

You can run Alliance Key Manager as a dedicated key management server for your SQL Server Standard Edition database applications in Azure and AWS. You will find Alliance Key Manager in the Azure and AWS Marketplaces. You can even run Alliance Key Manager in your own data center and protect SQL Server in the cloud. You are never locked into a cloud platform.

ISV Solutions with SQL Server Standard Edition

Many software solutions are built on SQL Server Standard Edition. SQL Server is an affordable relational database and you will find it in both cloud-based SaaS solutions as well as on-premise solutions for the Enterprise. For our ISV partners we make it easy to embed our Alliance Key Manager solution into your software offering to achieve better security and compliance. If you are an end customer running an ISV application and you need encryption, talk to us about an introduction to your vendor. We will make it easy for your software vendor to upgrade and support encryption.

Alliance Key Manager for SQL Server

For more than a decade we have been helping Microsoft SQL Server customers achieve the best security for their database and applications. We now fully embrace encryption and key management for SQL Server Standard Edition. As an end user or an ISV partner, there is an affordable and easy-to-use solution waiting for you. You can learn more here.

In any industry you will probably find a number of really responsible vendors, and of course, you will find the outliers and the outlaws. It is true in the security vendor community, too. There are a core group of responsible vendors, there are those that exaggerate the capabilities of their products, and there are those who just charge as much as they can get away with. I guess that is just human nature.

When I set out 15 years ago to bring encryption and key management solutions to market, I knew that the existing Key Management Server (KMS) products were highly priced and out of reach for most companies and organizations. A KMS vendor once told me that they did not want to work with any customer who did not want to spend at least $10 Million or more on their solution! I wanted to create a KMS solution that would be in reach for the average business, non-profit, and local government agency. Everyone deserves to deploy a really good security solution to protect their employees and their customers. We’ve now passed the 10-year anniversary of the first release of our Alliance Key Manager solution, and I am proud of the price disruption we created in every part of the KMS market – on-premise HSMs, VMware software appliances, and in the cloud (AWS, Azure).

I had a real shock this last week. Maybe things have not changed as much as I thought.

A prospective customer sent me a price quote from one of the mainstream KMS vendors. Their company wanted to purchase two key manager HSMs to protect 12 SQL Server databases. Look at how this was priced (numbers rounded):

Two key management HSMs:                                 $ 90,000

Annual software support for the HSMs:                  $ 16,000

12 Endpoint licenses for SQL Server                       $ 73,000

Annual software support for the endpoints:           $ 15,000

                                                                                 ========

Total:                                                                       $ 194,000

Unbelievable !!!

This company was going to pay $106,000 for two key managers, and THEN pay for each database that had to be encrypted. There is no reason on Planet Earth why this customer should have to pay so much to protect a small number of databases. I feel sorry for them if they have other databases they need to protect as they will have to pay for each of those, too. It is not hard to see how this cost would rapidly escalate as the company worked to protect more data - and it is clear that the average small business or organization could never afford this solution.

Let me show you how we would price our solution for the same requirement:

Two key management HSMs:                                 $ 30,000

Annual software support and maintenance:         $ 6,000

12 Endpoint licenses for SQL Server                     $ 0

Annual software support and maintenance:         $ 0

                                                                                 ========

Total:                                                                        $ 36,000

That’s right. For the same solution we would save this customer $158,000 out of the starting gate. Further, we would save them even more as they deployed encryption over additional databases - and the software maintenance costs would escalate, too.  How can we save you this much? Easy, we ask a fair price for our key management solution, and we don’t charge you at all for each database or application. If you purchase a key manager, we want you to use it for every security project you have. You don’t need to keep dredging up money each time you want to use the key management solution. With our pricing policy, it would be easy to envision saving this customer several MILLION dollars in KMS costs over a period of a few years!!!

Can you think of something you could spend that money on? Raises, new hires, new technology, business investment, and so much more. I am sure you can think of something useful to do with those funds. This kind of cost can drag a company down and reduce its competitiveness. This is outrageous.

You are not trapped and you have choices. Just talk to us.

In addition to being affordable, we make it easy to evaluate our Alliance Key Manager solution. You can now download it from our website, get access to documentation and quick start guides, and get access to full technical support.

You have options, just talk to us.

Patrick

Microsoft introduced Always Encrypted in SQL Server 2016 as a way to protect data in SQL Server databases. Always Encrypted runs on a client side system and encrypts data before it is stored in the SQL Server database. This provided some new protection for sensitive data stored in SQL Server - at least the server administrator and the DBA would not have access to the sensitive data. Or, that was the idea.

Always Encrypted suffered from severe limitations and did not achieve wide acceptance and deployment. The types of SQL queries and operations you could perform were minimal. You could not do basic SQL query operations that most businesses rely on. So Always Encrypted has not been deployed much.

Microsoft is attempting to address these limitations in a facility called Secure Enclaves. Secure Enclaves is a special operating environment that runs on SQL Server itself. You can think of it as a special virtual environment that can’t be accessed by a server administrator or DBA, but which can decrypt sensitive data from the database and perform those more complex SQL operations. SQL Server runs in one environment, and Secure Enclaves is a separate, more secure environment on the same server that runs those SQL requests against decrypted data. 

Processing data in a Secure Enclave means that the encrypted data has to be decrypted. How does that happen if the encryption key is on the client-side system and not on the SQL Server system? There are now special drivers on the client-side system that will send the encryption key to the Secure Enclave when needed. 

So, is this more secure? That is a hard question to answer. Here are some things to think about:

• Protected execution environments, like Secure Enclaves, have their own security concerns. The operating system hypervisors that manage these secure environments bring their own attack surface. Adding new attack surfaces brings more risk.
• The client-side implementation of Always Encrypted also adds an attack surface. Again, the more places that are potentially open to an attacker the more risk you bear.
• In many cases, client-side systems are not as well protected as core SQL Server systems. Think of a user PC in your organization, or think of a remote office server. User and remote systems are notoriously hard to protect well. 
• Encryption key management is the linchpin of your encryption strategy. Unfortunately, Always Encrypted has limited options for deploying industry standard key management. Always Encrypted supports storing encryption keys in the Windows Certificate Store and in Azure Key Vault. It does not support the industry standard Key Management Interoperability Protocol (KMIP). This means you are very limited in terms of your key management options. 
• Using the Windows Certificate Store to protect your Always Encrypted encryption keys may not be compatible with the California Consumer Privacy Act (CCPA) -and using Azure Key Vault may violate PCI Data Security Standards (PCI DSS) cloud guidance. 
• A core aspect of your encryption key management strategy is monitoring who has access to encryption key credentials, and reporting on access failures. When the encryption is performed on the client system by Always Encrypted, you may have limited ability to monitor activity and detect unauthorized access attempts. That further complicates your security posture.

My thoughts:

One of the primary goals of Always Encrypted and Secure Enclaves is to protect sensitive data by implementing Separation of Duties. That is, ensuring that system administrators and DBAs do not have access to both protected data and the encryption keys. This is a core security principle when protecting data-at-rest. 

You can achieve Separation of Duties by using a proper key management solution like our Alliance Key Manager. By assigning key management duties to a security professional, and isolating key management responsibilities from DBAs, you achieve the heart of the Separation of Duties goal. I believe that when properly implemented, a SQL Server Transparent Data Encryption (TDE) implementation with good key management gives you a very strong security posture without the risks involved with Always Secure and Secure Enclaves. Of course, you have to do a lot of other things to secure your Windows server and SQL Server. Proper encryption and key management is only one part of your overall security strategy.

Microsoft is doing a lot of things right in the area of data protection. The recent implementation of encryption for SQL Server Standard Edition 2019 is exactly the right thing to do. It puts encryption and key management in the hands of a lot of SQL Server users who have not had access to this technology. I hope that Microsoft will eventually embrace open standards for encryption key management in Azure and in other Microsoft products. This will be a great step forward for Microsoft customers.

Patrick

Interest in Microsoft SQL Server database encryption is booming! What is driving the sudden rush to encrypt sensitive data? Certainly the new California Consumer Privacy Act (CCPA) is a part of this. Just a few days after the CCPA became law the first class action lawsuit was filed. No business wants to deal with a class action lawsuit, and encryption is the only safe harbor from class action lawsuits.

We have to give some credit to Microsoft, too. In the past, database encryption was only available in the Enterprise editions of SQL Server. Upgrading from SQL Server Standard, Express and Web editions was an expensive proposition. Then (... SURPRISE! ...) in November 2019 Microsoft announced that SQL Server Standard Edition 2019 would also support encryption in the same way that the Enterprise edition does. It was a great Holiday gift to the many thousands of SQL Server users and ISVs who need to meet compliance regulations.

And the continued publicity about data breaches, ransomware, state actors, and new zero-day exploits continued to elevate everyone’s awareness of the threats to their sensitive data. So encryption is suddenly hot.

Let’s take a look at using SQL Server encryption in Amazon Web Services (AWS). 

Encryption Key Management

If you’ve been following this blog series you know how important key management is to an encryption strategy. That is even more true in the AWS environment. While Amazon makes available a proprietary key service, it can’t be used with databases like SQL Server that implement vendor or open standards. And AWS KMS is a shared encryption key service - both you and Amazon have access to your keys. So, before you start your SQL Server encryption project, be sure to get your key management strategy right.

Local Master Key Storage

When you implement encryption with SQL Server you have a choice about where you store the master keys. You can store them next to the SQL Server database (bad), or you can store the keys in an external key management system using the SQL Server Extensible Key Management (EKM) interface (better). Using an external key management system through the EKM interface is the only way to protect your data under CCPA, and it’s a best security practice. That is what we will focus on for the rest of this blog. 

SQL Server and Extensible Key Management (EKM) Provider

Starting in SQL Server 2008 Enterprise, Microsoft implemented database encryption and added the EKM Provider interface for encryption key management. This interface pre-dated the modern KMIP interface, but provides a similar architecture for integrating encryption key management for SQL Server. The EKM Provider architecture has been a part of SQL Server Enterprise since that release more than a decade ago. Our customers have performed many upgrades to SQL Server and the EKM interface has been stable and reliable. 

The EKM Provider architecture is essentially a set of rules for implementing a plug-in module for SQL Server to integrate with a key manager such as our Alliance Key Manager for SQL Server. You code a Windows DLL to the specification, register it to SQL Server, run an activation command in the SQL Server console, and you have encrypted your SQL Server database! It is fast, easy and straightforward.

Key Management in the Cloud

Now you need a key manager that implements the EKM Provider interface, and you need a place to deploy that key manager. Our customers usually deploy Alliance Key Manager directly from the EC2 console and the AWS Marketplace when they want a dedicated key manager that runs within AWS. Alliance Key Manager runs in an EC2 instance, is dedicated to you (not shared with Amazon or us), and provides the EKM Provider software at no additional charge. You just: 

• Launch Alliance Key Manager
• Answer a few configuration questions
• Download the certificates that SQL Server needs
• Configure the EKM Provider
• And activate it

In a short period of time you can fully protect SQL Server with strong encryption and proper key management.

Key Management Outside of the Cloud

Some Microsoft SQL Server users want full control of their encryption keys outside of the AWS cloud. This is incredibly easy! You can deploy Alliance Key Manager as a VMware instance in your on-premise data center, then configure the SQL Server EKM Provider to connect to the on-premise key server. The EKM Provider interface is exactly the same in all Alliance Key Manager platforms. You will need to set network permissions in AWS, and allow a connection to the on-premise key server, but that’s it. You can get key management outside the AWS cloud very easily. Additionally, if you initially deploy in the cloud and want to migrate to your own data center, that is also fast and easy.

Key Management Across AWS Regions

Many AWS customers deploy their applications in different AWS regions in order to achieve a higher level of resilience and reliability for failover. Alliance Key Manager can fully support this approach. You can deploy the production key manager in the same region as your AWS application, and deploy the failover key manager in the remote AWS region where your failover runs. Once configured, they will automatically synchronize the keys and access policy, and will give you an optimal, real time failover across the AWS region boundary. 

Business Continuity and High Availability

The key manager you deploy with SQL Server has to match the high availability strategy you use with SQL Server and your applications. This means the key manager has to fail over in real time. Alliance Key Manager mirrors keys in real time in an active-active configuration. If your database and applications are designed for continuous operation, Alliance Key Manager will give you the immediate failover support you need - and that can be cross-region, outside the cloud, and even across cloud service providers.

Unlimited Databases

Most of our Microsoft SQL Server customers run multiple applications and databases. Alliance Key Manager does not restrict the number of SQL Server databases that you connect to it, and there are no client-side licenses per database. You can encrypt your first database with Alliance Key Manager, and then add any number of additional databases at no charge. Alliance Key Manager does not count or limit the number of databases you protect. You can even protect other databases like MongoDB and MySQL using the same key manager. This is the way enterprise key management should work!

Cloud Independence - It’s real

Amazon Web Services provides a great number of cloud services for applications and storage. Unfortunately, most of the AWS services implement a proprietary interface. The result is cloud lock-in restricting your ability to easily move to other cloud platforms. A business opportunity, merger, acquisition and other events can be painful when you have cloud lock-in. Alliance Key Manager runs in a number of cloud and virtualized environments and will help you avoid cloud lock-in. Cloud independence is real.

Evaluations and Proof-of-Concept

At Townsend Security we know that key management is a part of your critical infrastructure. We make evaluations and Proof-of-Concept projects extremely easy. You can launch Alliance Key Manager for AWS directly from the AWS Marketplace, get access to Quick Start guides for SQL Server, and be up and running quickly. Alliance Key Manager will automatically license for a free 30-day evaluation period, and you will have access to our technical support group for assistance.

HINT: When you launch Alliance Key Manager from the AWS Marketplace, be sure to register with us. Amazon does not share your company information with us, so we won’t be able to help unless you register. Here is the link to register.

True Enterprise Key Management for SQL Server, dedicated to you, is a couple of clicks away right from the AWS Marketplace. 

Patrick