Townsend Security Data Privacy Blog

Ransomware evolution - “Devastating innovation”

Posted by Patrick Townsend on Feb 22, 2022 4:40:02 PM

The new Sophos Threat Report for 2022 is just out and it is a good read (the link is below). In addition to ransomware the report talks about the increasing role of Artificial Intelligence as a part of both defense and offense, and other topics I think you would find interesting. Sophos is on the front lines of trying to help organizations who have fallen victim to ransomware. This statement in the threat report about new ransomware techniques really struck me:

“Ransomware is only as good as your backups, or so an adage might go if any existed. The truth of this statement became the basis for one of the most devastating “innovations” pioneered by some threat actor groups involved in ransomware schemes in the past several years: the rise of extortion in ransomware attacks.”

Delivering Secure VMware Hosting with Encryption and Key Management We all know that we have to have a really good backup and recovery strategy to deal with a ransomware attack. From the Threat Report:

“Increasingly, large organizations have been getting the message that ransomware attacks were costly but could be thwarted without the need for a ransom payment – if the organization kept good backups of the data the attackers were encrypting and have been acting on it by engaging with large cloud backup firms to keep their systems cloned. After all, if, for instance, you only lost one day’s worth of work, it would be a manageable loss, completely survivable for the targeted organization, if they chose to restore from backups rather than pay the ransom.”

But did you know that the attackers have innovated with a “double extortion” strategy? Backups can help you recover from the loss of your systems due to poisonous encryption. But the attackers are now stealing your sensitive data and threatening to publicly release it if you don’t pay the ransom. That is the second part of the “double extortion”, and is the “devastating innovation.”

“We have to presume that the ransomware groups were also getting the message because they weren’t getting paid. They took advantage of the fact that the average “dwell time” (in which they have access to a targeted organization’s network) can be days to weeks and started using that time to discover an organization’s secrets—and move everything of value to a cloud backup service themselves. Then, when the ransomware attack struck, they’d layer on a second threat: pay up or we release your most sensitive internal documents, customer information, source code, patient records, or, well, anything else, to the world.”

How do we respond to this new, double extortion ransomware threat?

First, we have to do the things we’ve always done:

  • Backup everything to be prepared to restore systems and data.
  • Monitor our environments for anomalous events and behavior.
  • Educate our employees and service providers on good technology and email practices.

Now we need to add one more practice:

  • Encrypt sensitive information to deny it to the attackers.

To defend against the “double extortion” we now have to deny hackers access to our sensitive information through the use of defensive encryption. If the attacker steals our data but can’t read it, we have defeated the new “Devastating Innovation”. I know that it is a bit ironic that we have to use the same tool as the hackers – encryption – to defeat the hackers. But it is a tool that we have readily at hand. All major database, virtualization, and storage solutions make it easy to encrypt data. And that’s what we need to do now. As in, right now!

Here is one critical thing to consider when you start implementing encryption as the next part of your ransomware strategy:

Your encryption is only as strong as your management of encryption keys.

When you encrypt your sensitive data, you have to protect the secret key that unlocks the data. That is actually the hardest part of an encryption strategy. It is important to get this right from the start. This is where Enterprise Key Management systems come into play. They give you the means to protect your encryption keys away from the data they protect.

We are helping our customers deploy encryption to defeat ransomware with our Alliance Key Manager solution. You can encryption databases, VMware infrastructure, Cloud data, Big data, and much more. More information here:

https://townsendsecurity.com/products

If you are a Managed Service Provider (MSP, MSSP) or IT Services Organization (ITSO), you can find out more about how we empower our partners to meet this challenge. More information here:

https://townsendsecurity.com/msp

Stay safe,

Patrick

Resources:

The Definitive Guide to Encryption Key Management Fundamentals:

https://info.townsendsecurity.com/ebook-definitive-guide-to-encryption-key-management-fundamentals

The Sophos 2022 Threat Report:

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf Download Alliance Key Manager

Topics: Alliance Key Manager, Encryption, Key Management, Ransomware

IT's OFFICIAL - ENCRYPTION FOR RANSOMWARE PROTECTION

Posted by Patrick Townsend on Jun 15, 2021 3:22:26 PM

If you’ve been following this blog recently you know that I’ve been advocating for the use of encryption to help prevent ransomware attacks. Ransomware attackers have been adapting to the new reality that a lot of companies have deployed good backup strategies to recover their files. Without that leverage the attackers can’t extort payments for recovery of your systems.

So, what are they doing now? They are exfiltrating your sensitive data and using that as additional leverage. 

Encryption Strategies for VMware Environments Oh, you have backups and you don’t want to pay? OK, we took your sensitive data and we are going to publish it. Do you have secret intellectual property or business plans? Do you have sensitive medical information on your patients? Do you have sensitive information about children in your care? 

Under this kind of pressure many ransomware victims decide to pay the ransom. 

That’s why it is important to encrypt your data before a ransomware attack. If the attacker can’t read your data because it is encrypted they can’t threaten to release it.

It has been frustrating to me that most security recommendations on how to protect yourself from a ransomware attack omit the step of encrypting your data first.

But that has now changed! And it is long overdue.

Here is what President Biden’s new executive order recommends (emphasis added):

What we urge you to do now:

Implement the five best practices from the President’s Executive Order:President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack. 

And  more ...

And this:

For Federal Agencies:

Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.

Encryption is not the only thing you need to do, but it is a critical part of a ransomware protection strategy. It is heartening to see this being recognized.

There is some good news: Encryption is fast, easy and affordable. If you are a small or midsize organization you will be glad to know that there is an affordable solution for your encryption strategy. Encryption and encryption key management are no longer the headaches they once were. You or your IT Support organization can address your encryption needs in a rapid manner. 

If you are an IT Support Provider or Managed Service Provider trying to help your customers with security, you are going to love our MSP Partner program. Affordable key management for VMware and the cloud, usage-based billing, and no upfront fees. You will be profitable from the first customer. More information here: 

https://townsendsecurity.com/msp

Ransomware attacks can be devastating to an organization, but you have tools to protect yourself. Give us a call.

Patrick

References:

https://image.connect.hhs.gov/lib/fe3915707564047b761078/m/1/8eeab615-15a3-4bc8-8054-81bc23a181a4.pdf

https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/

Encryption & Key Management for VMware Cloud Providers

Topics: Alliance Key Manager, Encryption, Encryption Key Management, VMware, Ransomware, MSP

Case Study: Concensus Technologies

Posted by Luke Probasco on Mar 12, 2021 11:45:37 AM

1601660411712MSP identifying and implementing top-notch business, security, and IT solutions

 


“Encryption key management for VMware vSphere, with usage-based licensing, has allowed us to better secure our SMB customers and add a new revenue stream.”

- Don DaRe, President & CEO

 
Concensus Technologies
Concensus Technologies is a national leading provider of professional IT solutions, located near Pittsburgh, PA. Their team of engineers and architects have worked with clients of every size - in every industry - and maintain certifications with the top IAM and cybersecurity vendors. With more than 20 years of experience, Concensus Technologies provides a standardized approach for assessing current environments to maximize their future investment.

 

The Challenge: Customers Needed Affordable Encryption & Key Management to Meet Security & Insurance Requirements

For Concensus Technologies, an MSP who offers complete cybersecurity, managed IT services, and IAM solutions for businesses, encryption and key management are paramount to keeping their customers’ data secure. Before partnering with Townsend Security, encryption key management was a facet of security that was beyond the budget of their SMB customers who needed to meet regulatory compliance like PCI DSS, HIPAA, etc., as well as purchase cybersecurity insurance.

Don DaRe, President and CEO, helps guide his customers through the process of securing their data, a differentiator for him as an MSP. “If you are an MSP, you need to think about security first, not after there has been a breach. Encryption and key management will help keep your customer’s data safe,” said DaRe.

Whether he is helping them through a cyber-risk insurance audit or meeting compliance requirements, Concensus Technologies partners with their customers to securely meet their technology initiatives. If there is sensitive data on the VM, DaRe helps customers understand the best way to protect it is with encryption and key management.

“Because of stricter data security compliance and cyber- risk insurance requirements, customers began asking for encryption. We quickly realized that a secure data center in the cloud wasn’t enough,” said DaRe.

To ensure data is truly secure, and have predictable costs, Concensus Technologies decided it was best to run their own VMware infrastructure, and partner with a key management vendor. The only problem - finding a key management vendor who would match an MSP’s usage- based business model.

After talking with a few key management vendors who offered solutions for prices that only large enterprises could afford, Don DaRe, President and CEO, found Townsend Security.

“As an MSP, we charge our customers for usage. Having encryption key management that has been through a NIST validation, with usage-based licensing, is key for us - which removes price as a barrier to good security,” continued DaRe.

The Solution

Alliance Key Manager for VMware

Unhappy with the cost and performance of the major cloud service providers (CSPs), Concensus Technologies decided to build their own VMware infrastructure. When moving from the cloud to their own, meeting data security compliance was a top concern.

By deploying Alliance Key Manager for VMware in their VMware vCloud infrastructure, the company was able to meet customer requirements for encryption and key management, as well as create a new revenue stream.

Usage-Based Licensing

Businesses are moving away from paying for perpetual licensing. “Everything is moving towards a subscription/pay for what you use model,” said DaRe. “For most companies we work with, they would rather have the operational expenditure than the capital expenditure.”

“As an MSP, we are always looking for solutions and services that are easy to track and easy to use - and don’t require much maintenance,” said DaRae. “Townsend Security checks all those boxes.”

Plug & Play Security

“Because Alliance Key Manager snaps right in to vCenter, we just make a ‘Click’ and customer data is encrypted. It doesn’t take a lot of engineer time to implement. Between Townsend Security’s support and one of our engineers, we had it up and running in less than an hour,” said DaRe.

By lowering the cost and difficulty barriers of encryption, Concensus Technologies is seeing their customers have a tremendously improved security posture, and realizing new revenue.

“We were able to deploy Alliance Key Manager and offer encryption to our customers all in the same day. It is now a part of all of our quotes.”

Case Study: Concensus Technologies

 



Topics: Alliance Key Manager, Case Study

Townsend Security Extends Free NFR Licenses for Key Management Server (KMS) to Microsoft MVPs and AWS Heroes

Posted by Luke Probasco on Mar 18, 2020 2:00:00 AM

Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager, is now available free of charge to Microsoft MVPs and AWS Heroes.

Free NFR License for Encryption Key Management Server (KMS)

Townsend Security today announced that it is extending free Not for Resale (NFR) licenses to Microsoft MVPs and AWS Heroes for Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS). The NFR licenses are available for non-production use only, including educational, lab testing, evaluation, training, and demonstration purposes. NFR Licenses are available here.

Joining VMware vExperts in Townsend Security’s successful NFR program, Microsoft MVPs and AWS Heroes can protect databases, applications, and VMware images with a secure and compliant key management server (KMS). Additionally, the solution allows businesses to properly encrypt private data without modifying their business applications. Alliance Key Manager supports the OASIS Key Management Interoperability Protocol (KMIP) and Microsoft’s Extensible Key Management (EKM) found in SQL Server Enterprise 2008+ and SQL Server Standard 2019+. The solution is available as a VMware Virtual Machine or in the cloud (AWS, Microsoft Azure).

Additionally, Townsend Security provides Alliance Key Manager users with a wide range of ready-to-use security applications, SDKs, and sample code. With over 3,000 users worldwide, the solution is helping businesses achieve their security and efficiency goals in cloud and VMware environments.

“Protecting sensitive data continues to be a critical concern in IT, and an important part of both security and compliance efforts,” said Patrick Townsend, CEO of Townsend Security. “After launching with VMware vExperts, we are excited to extend the program to Microsoft MVPs and AWS Heroes. I believe they will be pleased to see how fast and easy encryption key management has become.”

Microsoft MVPs and AWS Heroes can request an NFR license of Alliance Key Manager here.

New call-to-action

Topics: Alliance Key Manager, Press Release

Do You Have Encryption Key Management Server (KMS) Sticker Shock?

Posted by Patrick Townsend on Mar 10, 2020 9:11:45 AM

In any industry you will probably find a number of really responsible vendors, and of course, you will find the outliers and the outlaws. It is true in the security vendor community, too. There are a core group of responsible vendors, there are those that exaggerate the capabilities of their products, and there are those who just charge as much as they can get away with. I guess that is just human nature.

Download Alliance Key Manager When I set out 15 years ago to bring encryption and key management solutions to market, I knew that the existing Key Management Server (KMS) products were highly priced and out of reach for most companies and organizations. A KMS vendor once told me that they did not want to work with any customer who did not want to spend at least $10 Million or more on their solution! I wanted to create a KMS solution that would be in reach for the average business, non-profit, and local government agency. Everyone deserves to deploy a really good security solution to protect their employees and their customers. We’ve now passed the 10-year anniversary of the first release of our Alliance Key Manager solution, and I am proud of the price disruption we created in every part of the KMS market – on-premise HSMs, VMware software appliances, and in the cloud (AWS, Azure).

I had a real shock this last week. Maybe things have not changed as much as I thought.

A prospective customer sent me a price quote from one of the mainstream KMS vendors. Their company wanted to purchase two key manager HSMs to protect 12 SQL Server databases. Look at how this was priced (numbers rounded):

Two key management HSMs:                                 $ 90,000

Annual software support for the HSMs:                  $ 16,000

 

12 Endpoint licenses for SQL Server                       $ 73,000

Annual software support for the endpoints:           $ 15,000

                                                                                 ========

Total:                                                                       $ 194,000

Unbelievable !!!

This company was going to pay $106,000 for two key managers, and THEN pay for each database that had to be encrypted. There is no reason on Planet Earth why this customer should have to pay so much to protect a small number of databases. I feel sorry for them if they have other databases they need to protect as they will have to pay for each of those, too. It is not hard to see how this cost would rapidly escalate as the company worked to protect more data - and it is clear that the average small business or organization could never afford this solution.

Let me show you how we would price our solution for the same requirement:

Two key management HSMs:                                 $ 30,000

Annual software support and maintenance:         $ 6,000

 

12 Endpoint licenses for SQL Server                     $ 0

Annual software support and maintenance:         $ 0

                                                                                 ========

Total:                                                                        $ 36,000

That’s right. For the same solution we would save this customer $158,000 out of the starting gate. Further, we would save them even more as they deployed encryption over additional databases - and the software maintenance costs would escalate, too.  How can we save you this much? Easy, we ask a fair price for our key management solution, and we don’t charge you at all for each database or application. If you purchase a key manager, we want you to use it for every security project you have. You don’t need to keep dredging up money each time you want to use the key management solution. With our pricing policy, it would be easy to envision saving this customer several MILLION dollars in KMS costs over a period of a few years!!!

Can you think of something you could spend that money on? Raises, new hires, new technology, business investment, and so much more. I am sure you can think of something useful to do with those funds. This kind of cost can drag a company down and reduce its competitiveness. This is outrageous.

You are not trapped and you have choices. Just talk to us.

In addition to being affordable, we make it easy to evaluate our Alliance Key Manager solution. You can now download it from our website, get access to documentation and quick start guides, and get access to full technical support.

You have options, just talk to us.

Patrick

Download Alliance Key Manager

Topics: Alliance Key Manager, Encryption Key Management

Townsend Security Provides NFR Licenses for Key Management Server (KMS) to VMware vExperts

Posted by Luke Probasco on Jan 7, 2020 12:00:00 AM

Alliance Key Manager, featuring full support for VMware encryption of VMs and vSAN, is now available free of charge to VMware vExperts.

Free NFR License for Encryption Key Management Server (KMS) Townsend Security today announced that it offers free Not for Resale (NFR) licenses to VMware vExperts for Alliance Key Manager, their FIPS 140-2 compliant encryption key management server (KMS). The NFR license keys are available for non-production use only, including educational, lab testing, evaluation, training, and demonstration purposes. NFR Licenses are available here.

Alliance Key Manager enables VMware customers to use native vSphere encryption for VMs and vSAN to protect VMware images and digital assets while deploying a secure and compliant key management server (KMS). VMware users can deploy multiple, redundant (HA) key servers as a part of the KMS Cluster configuration for maximum resilience and high availability. The key manager is certified by VMware for use with vSphere version 6.5 and later, and for vSAN version 6.6 and later. 

Using the advanced cryptographic permissions in VMware vCenter Server, along with a KMS, VMware users can prevent internal/external threats and protect sensitive workloads. In addition to supporting vSphere encryption of VMs and vSAN, Alliance Key Manager supports application and database encryption deployed in VMware virtual servers.

“We are excited to provide VMware vExperts with Alliance Key Manager, our encryption key management server (KMS) for their test labs,” said Patrick Townsend, CEO of Townsend Security. “Protecting sensitive data continues to be a critical concern in IT, and an important part of both security and compliance efforts. Data-at-rest encryption options in vSphere are comprehensive and very easy to use. Alliance Key Manager seamlessly integrates with VMware’s encryption capabilities.”

Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.   VMware vExperts can request an NFR license of Alliance Key Manager for VMware here.

New call-to-action

Topics: Alliance Key Manager, Press Release

Securing FieldShield Encryption Keys with Alliance Key Manager

Posted by Paul Taylor on Dec 13, 2019 10:28:00 AM

The article below originally appeared on IRI's blog and is being re-published here to show Townsend Security's blog readers how Alliance Key Manager integrates with IRI FieldShield.

In a previous article, we detailed a method for securing the encryption keys (passphrases) used in IRI FieldShield data masking jobs through the Azure Key Vault. There is now another, even more robust option for encryption key management available, thanks to API-level integration between FieldShield and the Alliance Key Manager (AKM) platform from Townsend Security.

AKM provides the security of authenticated access to FieldShield passphrases from five different server options (below). They assure that only authorized users can access the AKM key server and obtain the keys to decrypt FieldShield-encrypted field data (column values).

But beyond authentication, AKM provides a complete encryption key management solution which includes: key server setup and configuration, key lifecycle administration, secure key storage, key import/export, key access control, server mirroring, and backup/restore. AKM also supports compliance audit logging of all server, key access and configuration functions.

How AKM Works with FieldShield

AKM is leveraged directly in FieldShield data masking jobs through field syntax that specifies the use of AKM. This syntax is “AKM:KeyName”, where “AKM:” invokes the use of the Alliance Key Manager, and “KeyName” (an example key name created by AKM but could be anything) is the name of a key created by AKM from which the value you want will be accessed.

In a FieldShield decryption job, key retrieval from AKM is performed via a secure TLS connection to the AKM server. Both the client (FieldShield user) and server (AKM) end-points are authenticated via TLS.

AKM can be deployed in: 1) VMware; 2) a cloud server in Microsoft Azure; 3) Amazon Web Services; 4) a privately managed Hardware Security Module (HSM); or, 5) a dedicated cloud HSM.

Setting Up

Prerequisites for using AKM to manage encryption key passphrases in FieldShield are:

  • A compatible Linux OS (a Windows version is planned)
  • A licensed IRI FieldShield installation for Linux under /usr/local/cosort
  • An AKM instance with connectivity to the Linux OS
  • A .conf file configured with the proper details to connect to AKM from the Linux OS
  • The Alliance Key Manager Linux SDK

To run FieldShield, obtain and install license keys from IRI. To run AKM, obtain a license from Townsend Security.

You will need to create a configuration (.conf) file to provide the connection information for AKM. The file includes the locations of certificates, logging options, and AKM connection properties.

The configuration file must be specified correctly, placed in the /usr/local/cosort/etc directory, and called keyclient.conf in order for key retrieval to succeed. Once that’s done, AKM will be accessible and work properly from any of the 5 deployment methods listed above.

You will also need to download the AKM Linux SDK. It contains the packages used to install the Linux libraries for AKM key retrieval used in FieldShield, and a sample keyclient.conf file (shown later).

FieldShield-AKM-Schematic

The AKM Linux SDK

FieldShield makes use of shared libraries provided by Townsend Security to integrate with AKM. More specifically, FieldShield uses the Linux C SDK, which provides tools for integrating C applications with AKM in Linux.

There are debian (or rpm, depending on Linux distribution) packages within the packages directory of the Linux directory of the Linux SDK that must be installed on your system for the FieldShield-AKM integration to work. Confirm (or put) the shared object library (.so file) in the /usr/lib directory.

The AKM Linux SDK contains packages for the following Linux platforms:

  • RHEL/CentOS 4, 5, 6, 7
  • SLE 11 SP2, SP3, SP4
  • Ubuntu 12.04, 14.04, 16.04

The Ubuntu 16.04 package in the AKM Linux SDK was tested and confirmed to work on Ubuntu 18.04.

Configuring AKM for FieldShield Use

AKM can be deployed in a variety of ways, including through cloud computing providers and local virtual machines. To setup AKM initially, follow the instructions in the documentation and log-in to the administrative menu to initialize AKM and create and manage certificates for user authentication.

VirtualBox_vm-1_30_10_2019_15_17_15

The AKM instance has a key server at port 6001, a port for key retrieval at port 6000, and a web interface at port 3886. This information must be put into the .conf file so that FieldShield can find the AKM and retrieve the key at decryption time.

After logging in to AKM, the IP address of the AKM instance can be found by typing ifconfig:

VirtualBox_vm-1_30_10_2019_15_11_51

Again, the default port is 6000 for AKM key retrieval. This should be written in the .conf file like this:

[ip]

KeyStoreIpPort=IP:Port

 

Where IP is the IP address of the AKM, and Port is the port number used for key retrieval. For example:

 

[ip]

KeyStoreIpPort=192.168.56.20:6000

 

A complete .conf file could look something like this:

 

; Configuration file for Universal Key Retrieval API
[log] Syslog=2 ; syslog output enabled StdErr=2 ; stderr output enabled
[ip]
KeyStoreIpPort=192.168.56.103:6000
ConnectTimeoutSecs=5 ; timeout value in seconds
ConnectTimeoutMSecs=0 ; timeout value in milliseconds
[cert]
VerifyDepth=1 ; certificate verify depth
TrustedCACertDir=/home/devon/Downloads/AKMPrimary_user_20191021/PEM
; CA Signed Cert directory
TrustedCACert=/home/devon/Downloads/AKMPrimary_user_20191021/PEM/AKMRootCACertificate.pem ;
CA Signed Cert (root cert)

ClientPrivKey=/home/devon/Downloads/AKMPrimary_user_20191021/PEM/AKMClientPrivateKey.pem
; Client Private key
ClientSignedCert=/home/devon/Downloads/AKMPrimary_user_20191021/PEM/AKMClientCertificate.pem
; Client Signed certificate

 

AKM Web Interface (webmin)

The AKM Server web interface (or webmin) monitors AKM performance and login or access attempts, and allows access to the AKM file browser. Many settings can be modified through a secure web interface:

webmin_AKMDashboard menu in the AKM ‘webmin’ web interface

From the file manager in the web interface, full file system access to AKM is available. In the /home/admin/downloads directory, all certificates and private keys should be available in zipped folders.

The certificates and private key should be in the .pem format and stored in the pem folder within the zip folder with the name of the user (rather than the admin1 or admin2 folders). The date value is the day of the month that the folder was created during initialization of the AKM server.

There is also the ability to access logs from AKM, set logging options and IP access control for the web interface, start/stop AKM, enable two-factor authentication for the web interface, check running processes in AKM, and more, all from within webmin.

Creating and Using FieldShield Keys

AKM provides options for creating, securing, and managing encryption keys through the AKM Administrative (Admin) Console app for Windows. Consult the AKM Crypto Officer documentation for current information on creating keys through the AKM Admin console app.

FieldShield only supports 256-bit symmetric keys from AKM, known as AES256 keys. This provides the best combination of security and performance.

AKM_console

Otherwise, select the rest of the options as desired and click the submit button to generate an encryption key. The output should be similar to this:

AKM-symmetric-key

Alternatively, when initializing AKM, a set of encryption keys can be automatically generated. A prompt appears at AKM initialization asking if an initial set of encryption keys should be generated or not.

The encryption keys you create in AKM at initialization, or through the AKM Admin Console application, will serve as passphrase values in FieldShield target /FIELD specifications that encrypt or decrypt values at the field or column level. For example, this statement:

/FIELD=(Encrypted_CCN=enc_aes256_fp_alphanum(CCN, AKM:AES256), TYPE=NUMERIC, POSITION=12, SEPARATOR=”|”, ODEF=CCAcctNum)

 

will encrypt the CCAcctNum in the 12th column of the source database table with 256-bit AES alphanumeric format-preserving encryption using the key created inside AKM under the name AES256.

What’s actually happening? FieldShield will use a base64-encoded stream of characters (a key value) retrieved (derived) from AKM that are associated with that AKM key name. That stream then gets used by FieldShield as a new passphrase value. 

It’s that new passphrase value that is then used by FieldShield (like before AKM) to derive the actual encrypt/decrypt key used at FieldShield runtime. So in other words, AKM involves a double derivation.  

If you want to use a different AKM key name in another /FIELD statement to differentiate your encrypt/decrypt keys, use the AKM Admin Console to create another key under a different name. Reflect that new name into your FieldShield job script in the appropriate /FIELD statement.

To decrypt in this case, a corresponding decryption statement in a subsequent FieldShield job script would need to specify the dec_aes256_fp_alphnum function with the same passphrase to restore the original CCAcctNum value. This method will work with any FieldShield-included encryption or decryption algorithm.

Example Operation

Here is a look at the FieldShield encrypt (left) and decrypt (right) job scripts used:

FieldShield-encrypt-and-decrypt

 

Note the syntax for specifying AKM use, which is “AKM:KeyName”. Make sure that the key name is properly spelled. Key names that do not exist on the connected AKM instance will result in a Tcpconnect error. 

AKM will attempt to retrieve the key 5 times, each with a timeout of 5 seconds, as specified in the default .conf file. If the key is ultimately unable to be retrieved, then the job will not run. 

Here is an image of data from this example that FieldShield encrypted using AKM:

 

Here is an image of the data after running FieldShield and the key in AKM to decrypt it:

 

 

The bottom line: Using AKM to store the passphrases used for decrypting data in FieldShield dramatically enhances encryption key security and industry compliance levels for data masking operations. Through key authentication and secure key management facilities, AKM can help FieldShield users close off more potential gaps in enterprise data security.

Topics: Alliance Key Manager, IRI FieldShield

IRI FieldShield Supports Townsend Security’s Alliance Key Manager

Posted by Luke Probasco on Dec 12, 2019 12:00:00 AM

Multi-Source Data Masking Software Now Encrypts and Decrypts with Keys in Cloud, VMware, or HSM Platforms

FieldShield AKM SchematicInnovative Routines International (IRI), Inc., a leading provider of data masking software, and Townsend Security, a leading authority in data privacy solutions, have enabled IRI FieldShield to use encryption keys stored and managed in Townsend Security’s Alliance Key Manager servers. The integration gives DBAs and “data security governance” professional a robust, compliant way to encrypt or decrypt data at rest in many sources.

A multi-year rise of hacking incidents and privacy law violations has driven demand for data-centric security. “Masking data in FieldShield using AES encryption, and protecting those encryption keys with Alliance Key Manager can help mitigate the risk of data breaches, and protect an organization’s brand and reputation,” observed Patrick Townsend, Founder & CEO of Townsend Security. “This is especially relevant given laws like the California Consumer Privacy Act (CCPA), which contemplates encryption of sensitive data in order to avoid class action lawsuits,” he added.

FieldShield classifies, discovers, and masks personally identifiable information (PII) in relational and NoSQL databases, and a wide range of structured file formats on-premise or in the cloud. Multiple encryption functions -- including format-preserving encryption -- are among its 15 masking categories. FieldShield users can assign a unique passphrase to serve as an encryption key for one or more data classes (columns or fields). The keys allow the restoration of original values from ciphertext when used with the corresponding decryption function.

Alliance Key Manager provides the security of TLS-authenticated access to FieldShield passphrases stored in VMware, Microsoft Azure, Amazon Web Services, or a private or dedicated Hardware Security Module (HSM). This assures that only authorized users can access the key server and obtain the keys to decrypt.

FieldShield users can generate the keys using either the native command line or web interface to Alliance Key Manager. “Centralizing storage of FieldShield passphrases through Alliance Key Manager not only gives our users FIPS 140-2 compliant key security, but also a more convenient way to manage their encryption keys,” according to IRI developer Devon Kozenieski.

About IRI
Founded in 1978, IRI develops fast data management and data-centric security software through 40 cities worldwide. IRI’s proven data manipulation engine -- and its free Eclipse job design environment -- provide uniquely price-performant and versatile data lifecycle solution software for big data and BI/DW architects, data security and compliance teams, DBAs, and developers. Gartner recognizes IRI FieldShield, CellShield, DarkShield as static and dynamic masking solutions for structured, semi-structured, and unstructured data sources.

Topics: Alliance Key Manager, Press Release, IRI FieldShield

Case Study: Indus Systems

Posted by Luke Probasco on Jul 16, 2019 8:13:57 AM

indus-LogoIT Solution Provider Helps Customer Protect vSphere and vSAN Encryption Keys with Alliance Key Manager for VMWare

 


“As our customers face new and evolving compliance regulations that require them to encrypt private data, we needed a partner that could provide easy and affordable encryption key management for VMware.

- Kushal Sukhija, Technical Director

 
Indus Systems
Indus Case Study As processes are becoming more complex, competitive and demanding, businesses are constantly exploring new ways to deploy effective solutions. Indus Systems (www.indussystem.com), over the years, has synchronized their team to offer best-of-breed solutions from leading technology partners, coupled with their Professional Services to help customers to protect their Information Technology investment, reduce costs and grow business. Their IT Solutions increase people efficiency, reduce infrastructure footprint, which acts as catalyst towards quantum business growth. Indus Systems thrives to be a hand-holding partner in their customers’ journey.
With over 15 years of experience and 300+ happy clients, Indus Systems offers solutions in:
  • Business Continuity
  • Core Infrastructure
  • Network & Security
  • Mobility
  • User Devices
  • Professional Services 

 

The Challenge: vSphere / vSAN Encryption Key Management

Based in India, Indus Systems is increasingly finding their financial customers concerned with meeting the Securities and Exchange Board of India (SEBI) requirements for protecting private information. According to the SEBI framework, which came into force on April 1, 2019, “Critical data must be identified and encrypted in motion and at rest by using strong encryption methods.”

JM FinancialWith SEBI’s new cyber security framework, JM Financial Asset Management Ltd turned to Indus Systems for guidance on how to better protect their data. JM Financial Asset Management Ltd, an Indus Systems customer of 10 years, were due for a technology refresh. As part of the project, the company would rely heavily on VMware and protecting private data with vSphere and vSAN encryption.

Knowing that for encryption to be truly effective it needs to be coupled with encryption key management, Indus Systems and JM Financial Asset Management Ltd visited VMware’s Solution Exchange in search of a VMware Ready key management solution.

The Solution

Alliance Key Manager for VMware

“After visiting VMware’s Solution Exchange and finding Townsend Security’s Alliance Key Manager as a VMware Ready solution that had been certified by VMware for use with vSphere and vSAN encryption, we knew that we could easily help customers like JM Financial Asset Management Ltd meet SEBI’s encryption requirements,” said Kushal Sukhija, Technical Director, Indus Systems.

With Alliance Key Manager for VMware, organizations can centrally manage their encryption keys with an affordable FIPS 140-2 compliant encryption key manager. Further, they can use native vSphere and vSAN encryption - agentless - to protect VMware images and digital assets at no additional cost. VMware customers can deploy multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability.

“Alliance Key Manager proved to be an affordable and easy to deploy solution that we will be able to offer our customers beyond JM Financial Asset Management Ltd,” continued Sukhija. “Further, as part of our due diligence, we started
a Proof of Concept (POC) with another key management vendor as well. After getting halfway through the project, we could quickly see that their solution was getting complicated and expensive - something that we could not recommend and deploy for our customers.”

By deploying Alliance Key Manager for VMware, Indus Systems was able to meet their organization’s and client’s needs to protect private data at rest in VMware.

Integration with VMware

“VMware’s native vSphere and vSAN encryption make it easy to protect VMware images and digital assets. With Townsend Security’s Alliance Key Manager, we were able to protect our data with no additional agents or additional costs as JM Financial Asset Management Ltd scales their IT infrastructure,” said Sukhija. With a low total cost of ownership, Alliance Key Manager customers can leverage the built-in encryption engine in VMware enterprise, with no limits imposed to the number of servers or data that can be protected.

By achieving VMware Ready status with Alliance Key Manager, Townsend Security has been able to work with VMware to bring affordable encryption key management to VMware customers and the many databases and applications they run in VMware Enterprise. VMware Ready status signifies to customers that Alliance Key Manager for VMware can be deployed in production environments with confidence and can speed time to value within customer environments.

Indus Case Study

 



Topics: Alliance Key Manager, Case Study

VMWare and Encryption Key Management Failover

Posted by Patrick Townsend on Jun 26, 2019 12:38:09 PM

Encryption and Key Management for VMware - Definitive Guide One of the easiest ways to implement encryption controls in your VMware infrastructure is to activate vSphere and vSAN encryption. With vSphere VM encryption you can insure that all VM images are encrypted at rest, and with vSAN encryption you can set up virtual disks that are fully encrypted protecting any files that you place there. vSphere encryption was implemented in version 6.5, and vSAN encryption was implemented in version 6.6. All subsequent versions of vSphere and vSAN include these capabilities. (Note that you must be on the Enterprise or Platinum edition).

vSphere-VM-Encryption and vSAN-Encryption

In both vSphere and vSAN the key manager is integrated using the open standard Key Management Interoperability Protocol, or KMIP. This means that any key management solution that supports the necessary KMIP interface can work as a vSphere or vSAN key manager. Our Alliance Key Manager solution implements this support, and is already in use by our VMware customers. 

The most common question we get about these new encryption features is: How do I manage failover for the key managers?

This is a great question as VMware is a part of your critical infrastructure, and key management has to work with your high availability strategy. There are two parts to this question and lets dig into both of them:

Defining Key Managers to vSphere KMS Cluster

Key managers are defined to vSphere using the option to configure the KMS Cluster. A KMS Cluster configuration allows you to define more than one key manager. So you have a readily available path for failover. The first key manager configuration is the primary key manager, and all subsequent key managers in the KMS Cluster are failover key managers. vSphere will always use the first key manager you define and treat it as the primary. 

In the event vSphere cannot connect to the primary key manager, it will try to connect to the second key manager in the KMS Cluster configuration. If that one fails it will try the third one, and so forth. The failover order is the order in which you define key managers in the KMS Cluster, so you should keep that in mind as you define the key managers.

While vSphere allows you to create multiple KMS Cluster definitions, very few VMware customers need multiple definitions. Just put your key manager definitions in a single KMS Cluster and you are set to go. 

If you have failover clusters for VMware, be sure to define the KMS Cluster for the failover environment, too!

Implementing Key Mirroring in Alliance Key Manager

Now that you have failover key managers defined to the KMS Cluster, you need to activate key mirroring between the primary key manager and each failover key manager. This is really easy to do, and you don’t need any third party products to implement key mirroring with Alliance Key Manager. Real time, active-active key mirroring is built right into the solution. You can SSH into the key manager, provide credentials, and then take the menu option to set up the primary or secondary key server. Answer a few questions and you will have key mirroring enabled between two or more Alliance Key Manager servers.

Our Alliance Key Manager solution implements full support for vSphere and vSAN encryption key management and has everything you need to get started. Adding encryption to your VMware environment is easy. VMware did a great job with this implementation of key management support and you can easily realize the benefits of protecting VMware infrastructure.

Alliance Key Manager documentation for vSphere can be found here.

You can download Alliance Key Manager and get started right away. Here is where to go to start the process.

Townsend Security will help you get started with vSphere and vSAN encryption. There is no charge for the evaluation or evaluation licenses and you will get access to the Townsend Security support team to ensure you have a successful project.

Patrick

New call-to-action

Topics: Alliance Key Manager, VMware