Townsend Security Data Privacy Blog

For applications that require the highest level of security, developers can use the on-board, NIST-compliant encryption and decryption services on Alliance Key Manager, rather than encrypting at the application or database level. Under this strategy, encryption keys never leave the key manager. With on-board encryption services, small chunks of data, such as credit card numbers, Social Security numbers, e-mail addresses, etc are encrypted on the server (physical HSM, VMware, or virtual appliance in the cloud). Because data is securely transferred to the key manager for encryption, it is recommended for smaller amounts of data. For larger amounts of data, it is still recommended to encrypt at the database or application level.

Using an Encryption Service
Businesses can use onboard encryption effectively to improve their security posture and reduce their attack surface. This strategy is helpful in situations where they don’t want to expose the encryption key in their application or server environment. For businesses who have their data in the cloud, this also alleviates the risk of exposure of the encryption key in cloud memory.

Encryption Service Performance
The performance of an encryption service is one of the biggest concerns that businesses have when taking this approach to protecting data. To shed some light on these concerns, we did some testing using our Java SDK on small blobs (<16KB) and with our .NET Key Client for large blobs.

Small Blob Performance
Quant. | avg enc/dec | avg rate
< 1KB | 48ms | 21 ops/sec
3KB | 50ms | 20 ops/sec
5KB | 51ms | 20 ops/sec
7KB | 52ms | 19 ops/sec
10KB | 53ms | 19 ops/sec
16KB | 55ms | 18 ops/sec

As a general metric, it is fair to say that for small pieces of data, the average latency for AES encryption (using CBC mode) is 50ms, yielding a rate of 20 operations per second.

Large Blob Performance

The results of testing with the .NET Key Client for large blob:

Quant | Avg. enc. time
1MB | 462 ms
2MB | 535 ms
5MB | 949 ms
7MB | 1.16 s
10MB | 1.74 s
15MB | 2.34 s
25MB | 3.61 s
50MB | 7.60 s
70MB | 10.65 s

This can be represented as a graph:

Taking this data and calculating the rate at which Alliance Key Manager is encrypting data, we were able to generate this graph:

The horizontal axis is the size of the data being encrypted--the larger the file, the more likely it will approach maximum speed. For encrypting small pieces of data, the process of establishing a connection to Alliance Key Manager and sending the data vastly outweighs the actual encryption, so the rate shows as very low. It spikes up to about 6.5 MB/s when the size of the data is around 5MB--larger than that, and the time to encrypt can be predicted using that rate.

The major take-away: encrypting large blobs on AKM using the .NET Key Client occurs at a rate of 6.5MB/s. It is likely that the Java SDK, and other SDKs, would have about the same level of performance. This data was compiled on an AKM with 1CPU and 2GB of memory. Doubling those resources yields a small increase in performance--up to 6.9 MB/s .

Conclusion

While there are performance impacts when encrypting large amounts of data with an encryption service (as opposed to encrypting an entire database or column within), it does provide improved security on smaller amounts of data for business wanting to minimize their encryption key exposure. Further, by utilizing Townsend Security’s encryption service, businesses can have confidence that they are protecting their data with NIST-compliant AES encryption. NIST compliance means that the encryption implementation has been reviewed by an independent testing lab who reports the results to NIST for validation.

This week Amazon Web Services sent an email to our AWS customers informing them that Alliance Key Manager was no longer available in the AWS Marketplace. This email message was inaccurate and misleading. Townsend Security is committed to providing dedicated, compliant key management solutions to AWS customers, as well as to other cloud platform customers, and continues to make our solution available on the AWS Marketplace.

This is from the email message sent by Amazon:

We are writing to inform you that, as of 10 October 2018, Townsend Security will no longer offer "Alliance Key Manager for AWS" to new subscribers on AWS Marketplace.”

In fact, Townsend Security posted a new version of Alliance Key Manager on AWS this week, and withdrew the older version. The withdrawn version is Alliance Key Manager version 4.5. The new version is Alliance Key Manager version 4.6, which adds new support for VMware vSphere and vSAN encryption key management. You can find the current version of Alliance Key Manager in the AWS Marketplace here:

• Fee-based
• Bring Your Own License

Both versions of Alliance Key Manager remain under full software support and maintenance. You can upgrade to the new version if and when you wish to.

Please be aware that Amazon prevents us from knowing your customer details when you use the fee-based offering on AWS. Unless you register with us we won't be able to inform you if we have important updates and security patches. If you are an Alliance Key Manager customer on AWS, please register with us here.

Our goal is to provide you with the best key management and encryption solutions on the AWS platform. You always have exclusive control of your encryption keys and – neither Amazon nor Townsend Security can manage or access your keys.

If you have any questions please contact us here.

Townsend Security

VMware users can now protect VM Images and vSAN with Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager.

Townsend Security is excited to announce that its new version of Alliance Key Manager fully supports VMware vSphere encryption for both VMware virtual machines (VMs) and for VMware Virtual Disk (vDisk). VMware users have been using Alliance Key Manager to protect data in application databases and applications to meet PCI DSS, GDPR, HIPAA compliance as well as other data privacy regulations. Now VMware users can use the same Alliance Key Manager solution with vSphere to protect virtual machines and virtual disks. Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.  

“Our customers have been using Alliance Key Manager to protect data in Microsoft SQL Server, MongoDB and other environments for many years. Now VMware users can have confidence that Alliance Key Manager can also protect VMware virtual machines and virtual disk to achieve the highest level of data-at-rest protection,” said Patrick Townsend, CEO of Townsend Security. “VMware users are looking for certified solutions that support their complex Windows and Linux environments without the need to deploy additional hardware-based HSMs. We are happy to announce this extension of our key management solution to help VMware vSphere users achieve a high level of data protection.”

VMware users are looking for affordable solutions that provably meet compliance regulations and which fit their budget and deployment goals. Alliance Key Manager meets this goal by providing NIST FIPS 140-2 compliance, PCI-DSS certification, and Key Management Interoperability Protocol (KMIP) compliance out of the box. Existing Alliance Key Manager customers can upgrade at no cost to extend their data protection compliance requirements to vSphere. New customers can deploy Alliance Key Manager without the fear of increased, unplanned licensing costs in the future.

In addition to PCI DSS, compliance regulations such as the European Union General Data Protection Regulation (GDPR), the HIPAA data security regulation, and many other data protection regulations, require the encryption of data at rest. Alliance Key Manager combined with vSphere encryption are the protection methods  to help you meet these regulatory requirements. “Don’t be fooled by vague language in the GDPR regulation. You must act to protect sensitive information of individuals in order to meet this regulatory requirement. You should act now to protect your organization,” said Townsend.

Alliance Key Manager for VMware is available for a free 30-day evaluation.

Take a little imaginary trip with me.

You want to buy a new car and you are dreaming of all of the great places you can go and hikes you can take. You’ve done your research, you’ve identified a favorite model, you know the mileage and quality ratings, and you’ve made up you mind! That dream car is going to be yours.

You spend the obligatory two hours at the dealer and drive away with your dream vehicle. You drive it home and park it in the driveway.

Time to head out to your first destination! You pile your hiking gear into the car and head for the Appalachians for your first hike.

Suddenly, your car stops dead in the road and says “Sorry, you need to pay for this destination. It is not a part of your original car purchase plan. That will be an extra $5,000 please. Credit cards accepted!”

WTF?

You didn’t read the fine print. This car purchase plan only includes 5 destinations and the Appalachians aren’t in the plan. Each new destination is going to cost you a bundle.

Welcome to Key Management System licensing.

Most Enterprise Key Management Systems (KMS) work with this licensing model. You will usually find that you need to license each end-point that connects to the key manager. One end-point may be included in the KMS pricing, but you need to purchase additional “license packs” to attach additional systems. Or, you find that your KMS only supports a limited number of encryption keys. As soon as you roll your keys to meet compliance requirements, it is suddenly time to purchase capacity for more keys! Or, for that new encryption project, you may find that you need to purchase new software to enable encryption for that environment.

And it can get really bad when you discover that the KMS system comes in different hardware models and you suddenly need to purchase an entirely different hardware model and do full replacements. That’s painful.

This typical KMS licensing model works really well for the companies that sell them. For companies who need to deploy encryption?

Not so much …

It means going to management for new budget approval every time you want to extend your security through better encryption. Over time this can add up to hundreds of thousands or even millions of dollars in new license and maintenance fees.

There has to be a better way, right?

There is. Here at Townsend Security we do things differently with our Alliance Key Manager licensing. You purchase the KMS platform of your choice and use it the way you want. It is that simple. From that point on:

• We never charge you fees for connecting a new end-point that needs a KMS.
• We never limit the number of end-points based on the model of the KMS.
• We never limit the number of encryption keys generated or stored on the KMS.
• We never force you to pay extra fees for software patches.
• We never force you to pay extra fees for routine software upgrades.
• If you have a hardware HSM, we do not force you to re-purchase the KMS at end of life. Just replace the hardware and keep on keepin’ on!

Fortunately, the story about purchasing a car was completely made up. But the nightmare of KMS licensing is real. Just know that it doesn’t have to be that way. Take a look at our KMS offerings and see a new path forward.

Pinch yourself. And get ready for that dream trip.

We provide Alliance Key Manager as a hardware security module (HSM), as a VMware software appliance, and as a cloud instance (Azure, AWS) - All running the same key management software with the same interfaces and applications.

Patrick

The security vulnerabilities known as Meltdown and Spectre involving speculative execution logic in a variety of Intel and non-Intel architectures also affects the Townsend Security product Alliance Key Manager through the SUSE Linux operating system. Exploitation of this vulnerability is primarily accomplished through user access to the server environment. Alliance Key Manager does not provide user access to the server. Therefore, the risk of exploitation of this vulnerability is considered low. However, Townsend Security is providing a software update to address this issue.

If you wish to apply this update please contact Townsend Security support. 

A customer service representative will provide you with information on installing the update.

As has been widely noted, you may experience some performance degradation related to the resolution of the Meltdown/Spectre software fix. This will not affect most Alliance Key Manager customers. However, if you process a large number of keys (thousands or more) you may wish to apply the patch to a failover server first and test the performance. Townsend Security will assist you with any performance proof-of-concept if needed.

Please be advised that customers using Alliance Key Manager in virtualized environments (cloud, VMware, etc.) also run some risk related to any hypervisor that is subject to this vulnerability. Please contact your cloud service provider or virtualization software provider for more information.

For Amazon Web Services (AWS) users, encryption and key management has never been easier.  Townsend Security's Alliance Key Manager uses the same FIPS 140-2 compliant key management technology found in the company's HSM and in use by over 3,000 customers worldwide. In the AWS Marketplace, there are two entries for Alliance Key Manager – one is for the fee-based implementation and one is for the Bring Your Own License (BYOL) implementation. Both are identical in their key management functionality. If you only need one or two instances of Alliance Key Manager you can use the fee-based entry in the marketplace. If you are going to use more than a couple of instances of the key manager you may want to use the Bring Your Own License entry to launch the key manager. There are discounts available for multiple instances of Alliance Key Manager and the BYOL version may be less expensive.

If you are logged into your AWS account you can directly launch Alliance Key Manager from the marketplace. Both licensing models support a free 30-day license to use the key manager. 

Before launching, you should determine if you want to run the key manager in the public AWS cloud, or if you want to run the key manager in a virtual private cloud (VPC).  The AWS virtual private cloud platform provides more isolation from other cloud customers and therefore a bit more security, if that is desired.

As you launch Alliance Key Manager in the AWS cloud you will need to select a region in which to run the key manager. Alliance Key Manager supports all of the AWS regions and you can run it anywhere. Your choice of regions may reflect your estimate of where you will have the greatest demand, or where you want critical key material to reside.

Once your AWS instance of Alliance Key Manager has been launched you can open an SSH session to the key manager to perform initial set up. You will change your password, create a set of server and client PKI certificates, indicate whether this instance of the key server is a primary or secondary mirror server, and create some initial unique encryption keys. After answering these questions you will have a fully functional, dedicated EC2 instance of Alliance Key Manager ready to use.

Alliance Key Manager comes with a full suite of software development kits (SDKs) and documentation, but the marketplace is limited to three documents. After you launch your AWS instance of the key manager please contact Townsend Security to register and get access to the AKM Supplemental documentation.  Unless you register at the Townsend Security web site it will not be possible to contact you and send you the documentation. There is no charge for access to the documentation.

The AWS license comes with customer support at the Basic level. This provides technical support and software updates via email during business hours. A Premium Support options is available that provides telephone and web support and includes 24/7/365 support for business interruption issues. Please visit the Townsend Security web site for more information about the Premium Support option and to register your instance of Alliance Key Manager for AWS.

At Townsend Security we want to provide you with a positive experience with our key management products and provide you the support you deserve. When you run our Alliance Key Manager in AWS we won’t know who you are because Amazon does not report that information. By registering at the Townsend Security web site you get access to documentation, SDKs and free support. And we can keep you up to date on the latest security patches and enhancements!

You can find more information about Alliance Key Manager in AWS here.