Townsend Security Data Privacy Blog

Encryption Key Management Options: Hardware, Virtualized, and Cloud… Oh My!

Posted by Michelle Larson on Jan 9, 2014 2:39:00 PM

With encryption and key management now being offered on a variety of hardware, virtualized, and cloud platforms, is it simply just a matter of preference or is one option better for you than another?  

Listen to the Podcast on Key Management Options Companies of all sizes now have options for securely protecting sensitive data using the appropriate security technology for their situation and industry regulations. Being responsible for the safekeeping of sensitive data like credit cards, social security numbers, or e-mail addresses, makes your encryption and key management strategy critically important. Once your sensitive data is encrypted, key managers are the specialized security devices that are designed to safeguard your encryption key (which is the secret that must be protected). Before deciding on how an enterprise should deploy an encryption key manager there are several questions to ask and factors to consider.

What different device options are available to organizations needing an encryption key manager?

Hardware Devices
Today we have many options for key management solutions, including the traditional key management hardware security module (HSM), which is now more cost effective and easy to deploy than it was even five years ago. HSMs are network attached in your data center and accessed when encryption keys are needed. If your company has a physical data center and the infrastructure to support it, an HSM can still be your most secure option.

Cloud-hosted HSM
The cloud-hosted key management HSM functions in much the same way as the traditional security device. However, you do not need to have the infrastructure of a physical data center in order deploy or maintain the cloud-based HSM since it is hosted by the cloud hosting provider.  Be aware of your cloud environment (is it shared or private?), and make sure to choose an option that provides real-time mirroring and redundant backups in geographically diverse locations.

Virtualization Options
Additionally it is now possible to deploy virtualized key management appliances. There is no hardware when you deploy a VMware or Hyper-v or Xen virtualized appliance inside your own virtualization infrastructure. A true cloud-based key management solution like VMware gives you a path to run key management solutions in vCloud either as standard cloud instance or virtual private clouds. Microsoft Azure and Amazon Web Service and other cloud platforms provide a mechanism for deploying virtualized key management appliances too.

What are some factors people need to consider when deciding which key management option is right for their organization?

Risk Tolerance
Risk tolerance is perhaps the main driving force for which of the key management options you might choose. If you're very risk-averse then probably you will want to deploy a hardware security module (HSM) in your own data center.  If you have a moderate level of risk tolerance  you might consider a cloud-based HSM hosted by a cloud vendor with appropriate security technology. A company dealing with small amounts of data might bear some additional risk and use a key management solution to help protect encryption keys in a virtual environment. Cloud or virtual solutions can be much more cost-effective and give enough protection for encryption keys to meet a lower risk tolerance level.

Compliance Regulations
Most compliance regulations give clear guidance on best practices about where encryption key management can and should run. Generally speaking, regulations are based on your industry and what type of sensitive data you store. 

PCI Security Standards Council has issued Cloud Computing Guidelines as well as guidance around virtualization of data protection solutions, so you can be PCI compliant with a cloud-based key management and encryption solution.

Cloud Security Alliance (CSA) has issued good guidance around key management and cloud environments - version 3.

Other regulations are not yet providing concrete guidance,and in some cases it is best to confirm with qualified auditors and assessors to really understand whether or not you can be in compliance and deploy true cloud-based virtualized key management solutions.

Your key management options are also based on where your data is stored. If you don't have a traditional data center, for example if you are using a software as a service (SaaS) solution, you may not have your own IT infrastructure or personnel with which to deploy a traditional encryption key management HSM internally. So the physical and organizational structure will come to bear in terms of the choices that you have around deploying key management.

Budget is always an important factor. As you consider various options, ask about endpoint licensing fees and make sure you have predictable maintenance costs as more databases/applications request key access. Remember to consider the costs of not properly managing sensitive data when doing the security cost benefit analysis.

Whatever option you choose, it is always wise to use key management best practices:

    • Always separate the encryption keys from the protected data
    • Use dual control
    • Practice separation of duties
    • Manage key rotation
    • Look for NIST validations like FIPS 140-2

Please download our most recent podcast on Encryption Key Management Options to hear more about how to meet the challenges of running cloud or virtual applications where implementations are inherently shared, multi-tenant environments!

Listen to the Podcast on Key Management Options

Topics: Alliance Key Manager, HSM, Hosting, Encryption Key Management, cloud, Virtualized Encryption Key Management, Podcast, Alliance Key Manager Cloud HSM, Choosing Solution

Exposed and We Know It - Don’t Wait Around for a Data Breach!

Posted by Kristie Edwards on Apr 8, 2013 10:20:00 AM
Top IBM i Security Tips

Here at Townsend Security we’re always engaging with businesses and organizations who not only need to meet data security compliance regulations such as PCI-DSS, HIPAA-HITECH, and GLBA/FFIEC, but are also deeply concerned about their customers’ data and the protection of their own company’s brand in the event of a data loss. Compliance is often the main driver of encryption and encryption key management, but these days the fear of a data breach weighs heavy on my peoples’ minds. 

I recently spoke with a prospect who downloaded our AES Encryption Standards White Paper, and then decided to contact us. He was eager to find out about pricing and how AES encryption could work with his company. He told me about their need for encryption: he is very concerned about meeting HIPAA/HITECH and SOX Acts (both recommend if not require encryption and key management), and he knows his company’s data is unprotected in many critical areas. As he put it, they’re just waiting for something bad to happen. Although they are already encrypting much of their sensitive data (a great first step), they have outgrown their current encryption solution, need to encrypt more data, and are still out of compliance.

He said to me point blank, “We are sitting here with our pants down, waiting to be exposed!” 

I asked the prospect, “Well let me ask you an easy first question to make sure our NIST Certified AES Encryption fits you and your company’s needs.  What system are you currently running on?”  

His reply: IBM i, Power 7.  

I told him: WE CAN DO THAT!!

Townsend Security has a deep history with IBM i.  We have been working with IBM i systems for over 20 years. With the new FIELDPROC capabilities in IBM i V7R1, our AES encryption solution installs into an IBM i customer’s environment, provides both our optimized and certified AES encryption libraries, and the encryption key management you need to be compliant. IBM has done the hard work of making this capability available, and we do the work of snapping in proper encryption and key management.

Later in our conversation, we discussed risk management, cost and what would happen to the company if they were exposed.  He told his boss that they were subject to fines and damage to their company brand and would spend time remediating the breach instead of growing the business.  Protecting the company’s sensitive data not only protects the business as a whole, it also protects your customers who rely on and trust your company to protect their personal information.

To learn more about Townsend Security’s easy and automatic encryption and key management solutions for IBM i contact us day at 1-800-357-1019. Or if you’re not into picking up that heavy phone, contact Kristie Edwards ( today, and we’ll make sure we do the heavy lifting on our end. You might also enjoy watching a recording of our recent webinar, "Top 3 IBM i Security Tips,” presented by data security experts Patrick Townsend and Patrick Botz.

Topics: Data Privacy, IBM i, Choosing Solution

System Logging on the IBM i (AS/400): Selecting a Logging Solution

Posted by Luke Probasco on Feb 7, 2012 8:52:00 AM

system logging IBM iIn our final installment on system logging on the IBM i series, Patrick Townsend, Founder & CTO, discusses what to look for when selecting and deploying a logging solution.  As we found out in part two of this series, it really isn’t a good idea to take the “do it yourself” approach.  System logs are in several different locations on the IBM i, and even if you get them all together, it is still a challenge to get them in a useable format.  Here is what Patrick has to say about selecting a logging solution:

So what do you need to look for when selecting and deploying a logging solution?

I think that there are four key points when looking at a logging solution especially on the IBM i Platform. One is, you want a real-time logging solution.  It won’t cut it to have a system collecting events once or twice a day and sending them off to a log server.  You need a real-time system that is collecting events as they happen so that your log collection server and your SIEM can actually correlate events across multiple servers and “see” what’s happening.

Secondly, on the IBM i, performance is always an issue. We have many customers running Alliance LogAgent with tens of millions of events a day.  Just this week we talked to a customer who was generating 120 million events a day.  That is a lot of events to be collecting and other solutions just can’t keep up with the sheer volume of events.  If your system can’t keep up with that, you will have a real compliance problem.  I’m really proud of the performance of our solution and that it allows us to do hundreds of millions of events every day, keeping up with the security events of the largest customers.

Third, logs should be protected while they are being transmitted to a log server.  Alliance LogAgent protects the transmission with a SSL/TCP connection.  Some of the information in your system logs can be very sensitive and it would be a bad idea to transmit this data in the clear.  When choosing a logging solution, it should have full support for a secure transfer mechanism.

Finally, industry standards are very important.  Standards are important on a very practical level.  When you buy a light bulb in the store, you want to be able to take it home and plug into a light socket.  You are able to do this because of standards.  The same is true for logging events on the IBM i.  There is a standard format for logging system events and the way you send your logs from an IBM i to a log collection server.  Query, reporting, and alerting tools depend on those standard formats.  The solution that you decide to deploy should be built on industry standards.  We support both the RFC Format and Common Event Format standards.

Those are the four most critical points for a standard logging solution and I am really proud that our product, LogAgent stands up really well on all four of those points. Overall, I think if you focus on those four items you’ll be in a good place.

Listen to our podcast “System Logging on the IBM i” for more information on logging, how it can help you meet compliance requirements, what to look for in a logging solution, and how Townsend Security can help you transmit the logs from your IBM i to any SIEM console.

Click me

Topics: Alliance LogAgent, logging, Choosing Solution