+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

VMWare and Encryption Key Management Failover

Posted by Patrick Townsend on Jun 26, 2019 12:38:09 PM

Encryption and Key Management for VMware - Definitive GuideOne of the easiest ways to implement encryption controls in your VMware infrastructure is to activate vSphere and vSAN encryption. With vSphere encryption you can insure that all VM images are encrypted at rest, and with vSAN encryption you can set up virtual disks that are fully encrypted protecting any files that you place there. vSphere encryption was implemented in version 6.5, and vSAN encryption was implemented in version 6.6. All subsequent versions of vSphere and vSAN include these capabilities. (Note that you must be on the Enterprise or Platinum edition).

In both vSphere and vSAN the key manager is integrated using the open standard Key Management Interoperability Protocol, or KMIP. This means that any key management solution that supports the necessary KMIP interface can work as a vSphere or vSAN key manager. Our Alliance Key Manager solution implements this support, and is already in use by our VMware customers. 

The most common question we get about these new encryption features is: How do I manage failover for the key managers?

This is a great question as VMware is a part of your critical infrastructure, and key management has to work with your high availability strategy. There are two parts to this question and lets dig into both of them:

Defining Key Managers to vSphere KMS Cluster

Key managers are defined to vSphere using the option to configure the KMS Cluster. A KMS Cluster configuration allows you to define more than one key manager. So you have a readily available path for failover. The first key manager configuration is the primary key manager, and all subsequent key managers in the KMS Cluster are failover key managers. vSphere will always use the first key manager you define and treat it as the primary. 

In the event vSphere cannot connect to the primary key manager, it will try to connect to the second key manager in the KMS Cluster configuration. If that one fails it will try the third one, and so forth. The failover order is the order in which you define key managers in the KMS Cluster, so you should keep that in mind as you define the key managers.

While vSphere allows you to create multiple KMS Cluster definitions, very few VMware customers need multiple definitions. Just put your key manager definitions in a single KMS Cluster and you are set to go. 

If you have failover clusters for VMware, be sure to define the KMS Cluster for the failover environment, too!

Implementing Key Mirroring in Alliance Key Manager

Now that you have failover key managers defined to the KMS Cluster, you need to activate key mirroring between the primary key manager and each failover key manager. This is really easy to do, and you don’t need any third party products to implement key mirroring with Alliance Key Manager. Real time, active-active key mirroring is built right into the solution. You can SSH into the key manager, provide credentials, and then take the menu option to set up the primary or secondary key server. Answer a few questions and you will have key mirroring enabled between two or more Alliance Key Manager servers.

Our Alliance Key Manager solution implements full support for vSphere and vSAN encryption key management and has everything you need to get started. Adding encryption to your VMware environment is easy. VMware did a great job with this implementation of key management support and you can easily realize the benefits of protecting VMware infrastructure.

Alliance Key Manager documentation for vSphere can be found here.

You can download Alliance Key Manager and get started right away. Here is where to go to start the process.

Townsend Security will help you get started with vSphere and vSAN encryption. There is no charge for the evaluation or evaluation licenses and you will get access to the Townsend Security support team to ensure you have a successful project.

Patrick

New call-to-action

Topics: Alliance Key Manager, VMware

Encryption Service Performance with Alliance Key Manager

Posted by Luke Probasco on Mar 18, 2019 10:31:02 AM

For applications that require the highest level of security, developers can use the on-board, NIST-compliant encryption and decryption services on Alliance Key Manager, rather than encrypting at the application or database level. Under this strategy, encryption keys never leave the key manager. With on-board encryption services, small chunks of data, such as credit card numbers, Social Security numbers, e-mail addresses, etc are encrypted on the server (physical HSM, VMware, or virtual appliance in the cloud). Because data is securely transferred to the key manager for encryption, it is recommended for smaller amounts of data. For larger amounts of data, it is still recommended to encrypt at the database or application level.

Using an Encryption Service
Businesses can use onboard encryption effectively to improve their security posture and reduce their attack surface. This strategy is helpful in situations where they don’t want to expose the encryption key in their application or server environment. For businesses who have their data in the cloud, this also alleviates the risk of exposure of the encryption key in cloud memory.

Encryption Service Performance
The performance of an encryption service is one of the biggest concerns that businesses have when taking this approach to protecting data. To shed some light on these concerns, we did some testing using our Java SDK on small blobs (<16KB) and with our .NET Key Client for large blobs.

Small Blob Performance
Quant. | avg enc/dec | avg rate
< 1KB | 48ms | 21 ops/sec
3KB | 50ms | 20 ops/sec
5KB | 51ms | 20 ops/sec
7KB | 52ms | 19 ops/sec
10KB | 53ms | 19 ops/sec
16KB | 55ms | 18 ops/sec

As a general metric, it is fair to say that for small pieces of data, the average latency for AES encryption (using CBC mode) is 50ms, yielding a rate of 20 operations per second.

Large Blob Performance

The results of testing with the .NET Key Client for large blob:

Quant | Avg. enc. time
1MB | 462 ms
2MB | 535 ms
5MB | 949 ms
7MB | 1.16 s
10MB | 1.74 s
15MB | 2.34 s
25MB | 3.61 s
50MB | 7.60 s
70MB | 10.65 s

This can be represented as a graph:

Seconds vs Size

Taking this data and calculating the rate at which Alliance Key Manager is encrypting data, we were able to generate this graph:

AKM size of data being decrypted
The horizontal axis is the size of the data being encrypted--the larger the file, the more likely it will approach maximum speed. For encrypting small pieces of data, the process of establishing a connection to Alliance Key Manager and sending the data vastly outweighs the actual encryption, so the rate shows as very low. It spikes up to about 6.5 MB/s when the size of the data is around 5MB--larger than that, and the time to encrypt can be predicted using that rate.

The major take-away: encrypting large blobs on AKM using the .NET Key Client occurs at a rate of 6.5MB/s. It is likely that the Java SDK, and other SDKs, would have about the same level of performance. This data was compiled on an AKM with 1CPU and 2GB of memory. Doubling those resources yields a small increase in performance--up to 6.9 MB/s .

Conclusion

While there are performance impacts when encrypting large amounts of data with an encryption service (as opposed to encrypting an entire database or column within), it does provide improved security on smaller amounts of data for business wanting to minimize their encryption key exposure. Further, by utilizing Townsend Security’s encryption service, businesses can have confidence that they are protecting their data with NIST-compliant AES encryption. NIST compliance means that the encryption implementation has been reviewed by an independent testing lab who reports the results to NIST for validation.

eBook: Definitive Guide to Encryption Key Management

Topics: Alliance Key Manager, On-Board Encryption

Notice to Alliance Key Management users in AWS

Posted by Luke Probasco on Oct 11, 2018 11:36:59 AM

This week Amazon Web Services sent an email to our AWS customers informing them that Alliance Key Manager was no longer available in the AWS Marketplace. This email message was inaccurate and misleading. Townsend Security is committed to providing dedicated, compliant key management solutions to AWS customers, as well as to other cloud platform customers, and continues to make our solution available on the AWS Marketplace.

This is from the email message sent by Amazon:

We are writing to inform you that, as of 10 October 2018, Townsend Security will no longer offer "Alliance Key Manager for AWS" to new subscribers on AWS Marketplace.”

In fact, Townsend Security posted a new version of Alliance Key Manager on AWS this week, and withdrew the older version. The withdrawn version is Alliance Key Manager version 4.5. The new version is Alliance Key Manager version 4.6, which adds new support for VMware vSphere and vSAN encryption key management. You can find the current version of Alliance Key Manager in the AWS Marketplace here:

Both versions of Alliance Key Manager remain under full software support and maintenance. You can upgrade to the new version if and when you wish to.

Please be aware that Amazon prevents us from knowing your customer details when you use the fee-based offering on AWS. Unless you register with us we won’'t be able to inform you if we have important updates and security patches. If you are an Alliance Key Manager customer on AWS, please register with us here.

Our goal is to provide you with the best key management and encryption solutions on the AWS platform. You always have exclusive control of your encryption keys and – neither Amazon nor Townsend Security can manage or access your keys.

If you have any questions please contact us here.

Townsend Security

Encryption Key Management AWS

Topics: Alliance Key Manager, Amazon Web Services (AWS)

Townsend Security Extends Alliance Key Manager to Support vSphere Encryption of VM Images and vSAN

Posted by Luke Probasco on Sep 14, 2018 8:06:28 AM

VMware users can now protect VM Images and vSAN with with Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager.

New Call-to-actionTownsend Security is excited to announce that its new version of Alliance Key Manager fully supports VMware vSphere encryption for both VMware virtual machines (VMs) and for VMware Virtual Disk (vDisk). VMware users have been using Alliance Key Manager to protect data in application databases and applications to meet PCI DSS, GDPR, HIPAA compliance as well as other data privacy regulations. Now VMware users can use the same Alliance Key Manager solution with vSphere to protect virtual machines and virtual disks. Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.  

“Our customers have been using Alliance Key Manager to protect data in Microsoft SQL Server, MongoDB and other environments for many years. Now VMware users can have confidence that Alliance Key Manager can also protect VMware virtual machines and virtual disk to achieve the highest level of data-at-rest protection,” said Patrick Townsend, CEO of Townsend Security. “VMware users are looking for certified solutions that support their complex Windows and Linux environments without the need to deploy additional hardware-based HSMs. We are happy to announce this extension of our key management solution to help VMware vSphere users achieve a high level of data protection.”

VMware users are looking for affordable solutions that provably meet compliance regulations and which fit their budget and deployment goals. Alliance Key Manager meets this goal by providing NIST FIPS 140-2 compliance, PCI-DSS certification, and Key Management Interoperability Protocol (KMIP) compliance out of the box. Existing Alliance Key Manager customers can upgrade at no cost to extend their data protection compliance requirements to vSphere. New customers can deploy Alliance Key Manager without the fear of increased, unplanned licensing costs in the future.

In addition to PCI DSS, compliance regulations such as the European Union General Data Protection Regulation (GDPR), the HIPAA data security regulation, and many other data protection regulations, require the encryption of data at rest. Alliance Key Manager combined with vSphere encryption are the protection methods  to help you meet these regulatory requirements. “Don’t be fooled by vague language in the GDPR regulation. You must act to protect sensitive information of individuals in order to meet this regulatory requirement. You should act now to protect your organization,” said Townsend.

Alliance Key Manager for VMware is available for a free 30-day evaluation.

VMware Encryption eBook

Topics: Alliance Key Manager, VMware, Press Release

Key Management System (KMS) Licensing - There Has to Be a Better Way

Posted by Patrick Townsend on Aug 20, 2018 10:27:50 AM

Take a little imaginary trip with me.

You want to buy a new car and you are dreaming of all of the great places you can go and hikes you can take. You’ve done your research, you’ve identified a favorite model, you know the mileage and quality ratings, and you’ve made up you mind! That dream car is going to be yours.

eBook: Definitive Guide to Encryption Key ManagementYou spend the obligatory two hours at the dealer and drive away with your dream vehicle. You drive it home and park it in the driveway.

Time to head out to your first destination! You pile your hiking gear into the car and head for the Appalachians for your first hike.

Suddenly, your car stops dead in the road and says “Sorry, you need to pay for this destination. It is not a part of your original car purchase plan. That will be an extra $5,000 please. Credit cards accepted!”

WTF?

You didn’t read the fine print. This car purchase plan only includes 5 destinations and the Appalachians aren’t in the plan. Each new destination is going to cost you a bundle.

Welcome to Key Management System licensing.

Most Enterprise Key Management Systems (KMS) work with this licensing model. You will usually find that you need to license each end-point that connects to the key manager. One end-point may be included in the KMS pricing, but you need to purchase additional “license packs” to attach additional systems. Or, you find that your KMS only supports a limited number of encryption keys. As soon as you roll your keys to meet compliance requirements, it is suddenly time to purchase capacity for more keys! Or, for that new encryption project, you may find that you need to purchase new software to enable encryption for that environment.

And it can get really bad when you discover that the KMS system comes in different hardware models and you suddenly need to purchase an entirely different hardware model and do full replacements. That’s painful.

This typical KMS licensing model works really well for the companies that sell them. For companies who need to deploy encryption?

Not so much …

It means going to management for new budget approval every time you want to extend your security through better encryption. Over time this can add up to hundreds of thousands or even millions of dollars in new license and maintenance fees.

There has to be a better way, right?

There is. Here at Townsend Security we do things differently with our Alliance Key Manager licensing. You purchase the KMS platform of your choice and use it the way you want. It is that simple. From that point on:

  • We never charge you fees for connecting a new end-point that needs a KMS.
  • We never limit the number of end-points based on the model of the KMS.
  • We never limit the number of encryption keys generated or stored on the KMS.
  • We never force you to pay extra fees for software patches.
  • We never force you to pay extra fees for routine software upgrades.
  • If you have a hardware HSM, we do not force you to re-purchase the KMS at end of life. Just replace the hardware and keep on keepin’ on!

Fortunately, the story about purchasing a car was completely made up. But the nightmare of KMS licensing is real. Just know that it doesn’t have to be that way. Take a look at our KMS offerings and see a new path forward.

Pinch yourself. And get ready for that dream trip.

We provide Alliance Key Manager as a hardware security module (HSM), as a VMware software appliance, and as a cloud instance (Azure, AWS) - All running the same key management software with the same interfaces and applications.

Patrick

eBook: Definitive Guide to Encryption Key Management

Topics: Alliance Key Manager

Case Study: Lockr

Posted by Luke Probasco on Aug 13, 2018 9:49:38 AM

LockrSecrets Management SaaS for CMS Systems Including Drupal and WordPress

 


With easy and flexible deployment options, Alliance Key Manager has allowed Lockr to offer affordable secrets management to Drupal and WordPress users.

- Chris Teitzel, Lockr CEO

 
Lockr

Lockr is dedicated to removing barriers to implementing sound security practices. By building, and making available, security solutions that are easy to deploy and affordable, Lockr fulfills its commitment to helping companies and organizations, of all sizes, protect the data of their customers, their partners, their employees and their daily operations. Lockr has made secrets management available to the Drupal content-management framework since 2015 and to the WordPress platform since 2016.

 

The Challenge: OEM, Compliant, Encryption Key Management

Case Study: LockrAs a company who protects private information for leading companies across all verticals, Lockr knew that the only way they could be confident in their Software as a Service (SaaS) offering was to back it with a FIPS 140-2 compliant encryption key management solution. FIPS compliance meant that the solution was based on industry standards and has undergone a stringent review of the encryption source code and development practices. Further, as a growing organization whose goal was to offer an affordable service, Lockr needed a relationship with a company that offered them a flexible OEM partnership.

“Often times, because of the cost and complexity of secrets management solutions, organizations struggle and cross their fingers they don’t experience a data breach. From the inception, Lockr’s mission has been to offer affordable and easy to use security so that even the smallest websites can have the same protection as large enterprises.”

The Solution

Alliance Key Manager in AWS

As a company that protects secrets (APIs, tokens, applications secrets, and encryption keys), Lockr offers their customers a service to better secure data without the costs associated with purchasing and managing dedicated servers. By partnering with Townsend Security, Lockr was able back their service with a proven solution that is in use by enterprises worldwide.

After choosing Amazon Web Services (AWS) as their cloud service provider (CSP), Lockr rapidly deployed Alliance Key Manager in AWS in regions all over the globe. “The combination of Alliance Key Manager and AWS allows Lockr to offer SLAs and support plans that the most demanding organizations require. Working with Alliance Key Manager in AWS is painless - we just launch an AMI and can instantly begin developing and testing. Even though our infrastructure is in AWS, our service is multi-cloud and multi-platform.”

Integration with CSP and Hosting Providers

Lockr provides secrets management to Drupal and WordPress environments hosted anywhere - Pantheon, Acquia, or even self-hosted. Businesses often turn to CSPs and hosting providers because they don’t want to manage another piece of infrastructure or have the expertise. Now they can improve security by turning to Lockr for secrets management as a service.

“While a hosting provider can ensure that their infrastructure is safe, it doesn’t extend to the applications that you run on top of it.” Because of this, providers are starting to refer Lockr to their customers, especially those in finance, healthcare and higher education industries. “When you look at reasons people chose to work with a hosting company, they are looking for people to do all the DevOps work - including security - that they don’t know how to do. Site developers know they need to be safe and Lockr, backed by Alliance Key Manager from Townsend Security, makes that happen.”

Better Securing eCommerce

When businesses deploy eCommerce solutions like Commerce Guys in Drupal or WooCommerce in WordPress to take themselves “out of the sensitive data realm” they are often surprised to learn they are collecting personally identifiable information (PII) such as email address, name, and zip code that they ARE responsible for protecting. Further, services like these use an API to connect to the CMS that needs to be protected. With Lockr’s architecture, it is easy for eCommerce providers to give their users comprehensive security, beyond a credit card transaction.

“The type of SMBs that deploy eCommerce services have a high need for security, but often a small budget. These companies make up a large portion of the web, but often enterprise security solutions are out of reach due to their technical capabilities and cost. They need to have a solution that scales with them.” By calling the APIs offered in Alliance Key Manager, Lockr is able to provide their users with the added security they require to prevent a data breach.

Case Study: Lockr

 

Topics: Alliance Key Manager, Case Study, Drupal, WordPress

Alliance Key Manager and Meltdown/Spectre

Posted by Robbn Miller on Jan 12, 2018 2:19:14 PM

The security vulnerabilities known as Meltdown and Spectre involving speculative execution logic in a variety of Intel and non-Intel architectures also affects the Townsend Security product Alliance Key Manager through the SUSE Linux operating system. Exploitation of this vulnerability is primarily accomplished through user access to the server environment. Alliance Key Manager does not provide user access to the server. Therefore, the risk of exploitation of this vulnerability is considered low. However, Townsend Security is providing a software update to address this issue.

If you wish to apply this update please contact Townsend Security support. 

A customer service representative will provide you with information on installing the update.

As has been widely noted, you may experience some performance degradation related to the resolution of the Meltdown/Spectre software fix. This will not affect most Alliance Key Manager customers. However, if you process a large number of keys (thousands or more) you may wish to apply the patch to a failover server first and test the performance. Townsend Security will assist you with any performance proof-of-concept if needed.

Please be advised that customers using Alliance Key Manager in virtualized environments (cloud, VMware, etc.) also run some risk related to any hypervisor that is subject to this vulnerability. Please contact your cloud service provider or virtualization software provider for more information.

 

Topics: Alliance Key Manager

Case Study: The Seed Company

Posted by Luke Probasco on Nov 6, 2017 10:32:47 AM

SeedCompany_Primary_Tag.pngSecuring Data in MongoDB Enterprise with Alliance Key Manager


“When choosing a key management solution, it needed to be 1) KMIP compliant and 2) affordable. Alliance Key Manager was both.”

- Jonathan Ganucheau, System Architect

 
The Seed Company

 

The Seed Company Case study Founded in 1993 by Wycliffe Bible Translators Inc., Seed Company became one of the fastest growing Bible translation organizations by developing innovative ways to more rapidly, efficiently and accurately translate Scripture for groups who don’t have it in their language.

Over a billion people worldwide don’t have the full Bible in the language they know best. More than 1,600 languages don’t have any Scripture at all. Seed Company’s goal is zero languages without Scripture by 2025. In this generation, the Bible will become available to all for church planting, evangelism and discipleship efforts led by the local Church.

 

The Challenge: Protecting Private Data in MongoDB with Encryption & Key Management

As Seed Company began to outgrow its on-premise data center, it knew that in order to transition services into the cloud, the security team needed to assure business leaders and partners that their data in the cloud would be safe. To meet internal security requirements, not only did the solution need to be cloud based, but encryption needed to live in a secondary cloud provider. By taking a hybrid cloud approach and deploying a service in a secondary cloud provider, Seed Company could securely manage encryption keys and protect data stored in MongoDB Enterprise.

While compliance wasn’t a requirement, meeting security best practices to protect the contact data for partners in the field was. With identities of partners in violent, oppressive countries at stake, a breach could literally mean the difference between life and death.

The Solution

Alliance Key Manager

Seed Company’s adoption of the cloud was reliant on the ability to adequately protect private data. Alliance Key Manager was essential to their transition. “After two months of discovery, we looked at all of the cloud encryption key management vendors and compared everything from features to price,” said Jonathan Ganucheau, System Architect. “Alliance Key Manager met all of our criteria - with KMIP compliance and affordability leading our decision.”

“If someone was able to hack into our primary cloud platform and extract our backups, they still wouldn’t be able to get the actual data because the key manager is in a secondary cloud provider. This provides us with another level of hardening,” continued Ganucheau.

By deploying Alliance Key Manager, Seed Company was able to meet their organization’s needs to protect partner data in MongoDB in the cloud.

Integration with MongoDB Enterprise

“Having invested in MongoDB Enterprise with KMIP encryption, there was no need to buy competing encryption solutions, adding to the overall expense of the project,” said Ganucheau. With a low total cost of ownership, Alliance Key Manager customers can leverage the built-in encryption engine in MongoDB, with no limits imposed to the number of servers or data that can be protected.

“During discovery, one thing that came as a surprise to us was the number of vendors who claimed to support KMIP, but actually didn’t. They maybe started with KMIP compliance, but then deviated off course and no longer met our requirement of being a true KMIP service,” continued Ganucheau.

With no client software to install, Alliance Key Manager offers unparalleled security, flexibility, and affordability for all users of MongoDB Enterprise.

Reliability

One of the top concerns organizations have when encrypting data is losing access to encryption keys. Alliance Key Manager mirrors keys between multiple load-balanced servers over a secure and mutually authenticated TLS connection for hot backup and disaster recovery support. “Uptime is critical for our organization. Alliance Key Manager has remained up 100% over the past year, which is a big deal for our organization. Set it and forget it. It just works,” finished Ganucheau.

“Between your cost structure and reliability, Alliance Key Manager has earned my highest recommendation.”

The Seed Company Case Study

 

Topics: Alliance Key Manager, Case Study, MongoDB

Case Study: Plaza Premium Lounge

Posted by Luke Probasco on Jun 19, 2017 8:29:59 AM

PPL-Logo.pngMeeting PCI DSS with Townsend Security's Alliance Key Manager Hardware Security Module (HSM)


“Alliance Key Manager is simple, reliable, and easy to use - as a result, has allowed us to meet PCI DSS compliance and expand our market.”

- Sandeep Tewatia, IT Director

 
Plaza Premium Lounge

Plaza Premium Lounge Case Study

Plaza Premium Lounge is a global service brand headquartered in Hong Kong and is the industry-leader in premium airport services. Their goal is to make your airport experience seamless and effortless and, through their hearty services, change the perception of travel at the airport. The company operates in more than 140 locations in 35 airports across the globe and counts over 3,500 employees. The success of their business model has prompted airport authorities around the world to offer independent lounge facilities and value-added airport services as part of a bid to enhance the overall traveler experience.

 

The Challenge: Meet PCI DSS Compliance with Encryption Key Management

PCI DSS 3.0 requires businesses to, “Protect stored cardholder data.” The Requirement 3 summary names encryption, truncation, masking, and hashing as “critical components of cardholder data protection” and places strong emphasis on key management: “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.”

Storing encryption keys next to the data they protect is not considered a security best practice and won’t meet data security compliance requirements like PCI DSS.

Faced with designing a PCI DSS compliant environment to store and process credit cards, Plaza Premium Lounge understood the importance of deploying an encryption key manager and that it should be based on industry standards. The solution had to be FIPS 140-2 compliant, designed to scale with their business needs, and have easy integration with IT infrastructure.  Additionally, the chosen vendor needed to provide excellent developer and technical support.

 

The Solution

Alliance Key Manager HSM

“I looked at all of the encryption key management HSM vendors,” said Sandeep Tewatia, IT Director. “Not only is Alliance Key Manager available as a FIPS 140-2 compliant HSM, Townsend Security has the same technology available in the cloud - which is important as we scale.”  By deploying Alliance Key Manager HSM, Plaza Premium Lounge was able to meet their business needs with a FIPS 140-2 compliant solution that could not only deploy quickly, but was also easy to set up and configure.

Integration with IT Infrastructure

“Townsend Security’s integration with our existing IT infrastructure really set the company apart,” continued Tewatia. “Alliance Key Manager has helped us meet our business goals of meeting PCI DSS in record time.”

By combining Alliance Key Manager and Townsend Security’s client applications and SDKs, Plaza Premium Lounge experienced a seamless integration with their IT infrastrutucture. Alliance Key Manager includes an unlimited license to use the Key Connection for SQL Server software.

Meeting PCI DSS Compliance

By managing encryption keys separately from the encrypted data, meeting PCI DSS encryption key management requirements went from a long, difficult, developer project to an easy integration.

“Having a PCI compliant environment has allowed us to expand our market and Alliance Key Manager was essential to us meeting section 3 for protecting stored cardholder data,” finished Tewatia.

Plaz

 

Topics: Alliance Key Manager, Case Study

Case Study: Citizens Security Life Insurance

Posted by Luke Probasco on Mar 13, 2017 10:54:24 AM

CSLI-Logo.pngCompliance Made Easy - Protecting Private Information with Alliance AES/400 Encryption for IBM i and Alliance Key Manager for VMware


“Townsend Security was extremely easy to work with - from the sales process to deploying our proof of concept to post-sales support.”

- Adam Bell, Senior Director of IT

 
Citizens Security Life Insurance

MCitizens Security Life Insurance Company is a life and health insurance carrier. The company offers group benefits including dental and vision coverage, and individual ancillary insurance products. The company was founded in 1965 and is headquartered in Louisville, Kentucky.

The Challenge: Protect ePHI & PII on the IBM i

In order to meet growing partner requirements and pass a data security audit for protecting electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII), Citizens Security Life Insurance (CSLI) needed to deploy an encryption solution on the IBM i. The solution needed to be easy to implement with excellent performance.

While FIELDPROC on the IBM i makes it very easy to encrypt data without application changes, CSLI also understood that for encrypted data to truly be secure, they would need to store and manage encryption keys with an external key manager.

By using a VMware-based encryption key manager, the company could meet encryption and key management best practices for separating encryption keys from the data they protect.

The Solutions

Alliance AES/400 Encryption

“The performance we are seeing with Alliance AES/400 encryption is excellent,” said Adam Bell, Senior Director of IT, Citizens Security Life Insurance. “The solution was easy to integrate and completely met our expectations.”

Alliance AES/400 FIELDPROC encryption is NIST-compliant and optimized for performance. The solution is up to 100x faster than equivalent IBM APIs on the IBM i platform.

With Alliance AES/400, businesses can encrypt and decrypt fields that store data such as credit card numbers, social security numbers, account numbers, ePHI, and other PII instantly without application changes.

Alliance Key Manager for VMware

Alliance Key Manager for VMWare was very easy to implement and the resources Townsend Security provided made deployment a smooth process,” continued Bell. By deploying Alliance Key Manager for VMware, CSLI was able to meet their business needs with a solution that could not only deploy quickly, but was also easy to set up and configure.

Alliance Key Manager for VMware leverages the same FIPS 140-2 compliant technology found in Townsend Security’s hardware security module (HSM) and in use by over 3,000 customers. The solution brings a proven and mature encryption key management solution to VMware environments, with a lower total cost of ownership. Additionally, the key manager has been validated to meet PCI DSS in VMware environments.

Integration with the IBM i Platform

An encryption strategy is only as good as the key management strategy, and it can be difficult to get key management right. For companies doing encryption, the most common cause of an audit failure is an improper implementation of key management. The seamless integration between Alliance AES/400 and the external Alliance Key Manager for VMware allowed CSLI to pass their data security audit with flying colors.

“The relationship we developed with Townsend Security enabled us to have a painless sales and support process, and in turn, enabled us to easily pass our data security audit,” finished Bell.

Meeting HIPAA and protecting ePHI with encryption and key management.

 

Topics: Alliance Key Manager, Alliance AES/400, Case Study

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all