Townsend Security Data Privacy Blog

Encryption Key Management & Your IT Strategy

Posted by Luke Probasco on May 24, 2016 7:25:00 AM

Excerpt from the eBook "2016 Encryption Key Management: Industry Perspectives and Trends." 

Virtualization Will Continue to Dominate IT Strategy & Infrastructure

Encryption Key Management Industry Perspectives and Trends eBook Large and small enterprises will continue to grow their virtualization footprints at the same time that they are looking to migrate applications to the cloud. The cost reductions provided by the market leader VMware will ensure that the VMware customer base will continue to consolidate applications and servers on their virtualization technology and that they will continue to be a powerful player in the IT infrastructure space for many years.

While VMware is the dominant technology provider for virtualization, we will see Microsoft attempt to increase their footprint with Hyper-V, and OpenStack solutions will also expand. We expect that all of the virtualization solution providers will attempt to de ne a clear path to the cloud based on their technologies. VMware is already moving in this direction with their vCloud Air initiative, and Microsoft uses Hyper-V as the foundation for the Azure cloud.

Encryption key management solutions that only run in hardware, or that only run on cloud platforms, present substantial obstacles for businesses with virtualized data centers. The rich set of management and security tools are not able to work effectively with solutions that are outside the virtualization boundary. Customers are looking to reduce their hardware footprint, not increase it. And solutions that can’t be managed or secured in the usual way represent additional risk and cost. Encryption key management solutions should be able to run within the virtualization boundary as an approved security application. Key management vendors vary greatly in their ability to support the range of deployments from traditional IT data center, to virtualized plat- forms, to the cloud. Organizations will continue to struggle with key management across these environments.

Take Aways

  • Encryption key management solutions should be able to run as fully native virtual machines in a VMware or Hyper-V environment.
  • Encryption key management solutions should be compatible with security and management functions of the virtual platform.
  • To maintain maximum business flexibility, deploy a key management solution that works well in virtual, cloud, and traditional hardware platforms.
  • Look for key management solutions that carry industry security certifications such as PCI Data Security Standard (PCI DSS), etc.

Key Management Vendor Stability Loses Ground

Merger and acquisitions in the security community continue at a rapid pace. Encryption key management vendors are being absorbed into larger organizations and this trend will likely continue. The public relations around such mergers and acquisitions is always accompanied with glowing prognostications and happy talk. Unfortunately, as often happens with any merger, key management vendors may experience disruption in their organizations as a result of a merger or acquisition. A key management solution may not be strategically important to an acquirer and this can result in disinvestment in the solution negatively impacting customer support. Key management is a part of an organization’s critical infrastructure and these changes can be disruptive.

Organizations can work to minimize the potential impact of key management vendor consolidation by understanding the vendor’s organizational structure, corporate history, and financial basis. Venture backed organizations can be expected to experience an exit through a merger, acquisition, or public offering. Vendors with solutions that are not strategically important to their product mix can also experience change and disruption. Using care in key management vendor selection may be one of the most important efforts you can make. This will be a continuing challenge in the years ahead.

Take Aways

  • Understand your key management vendor’s equity foundation and the likelihood of a merger or acquisition. If the key management vendor is largely funded by venture capital it is almost certain that the company will experience a merger or acquisition event.
  • Understand your key management vendor’s management team. Have key employees been with the company for a longer period of time? This is one good indicator of organizational stability.

Vendor Customer Support is a Growing Concern

As mentioned previously, encryption key management vendors continue to be absorbed into larger organizations and this trend will likely continue. Unfortunately, as can happen with any merger, key management vendors may experience disruption in their organizations as a result of a merger or acquisition. This can directly a effect the customer support organization and your ability to get timely and reliable technical support for your encryption key management solution. Deteriorating customer support can put your organization at risk. Key management solutions are a part of your critical infrastructure and proper customer support is crucial to operational resilience.

Another side affect of reduced or under-funded customer support is the inability of your organization to expand and invest in new applications and systems. These impacts on customer support may not present short-term problems, but can impair long-term resilience and growth flexibility. Many organizations will continue to experience inadequate customer support from key management vendors.

Take Aways

  • Understand the customer support organization of your key management vendor. Does the vendor demonstrate a strong investment in customer support? Is there adequate management of the customer support team? 
  • Review the Service Level Agreement (SLA) provided by your key management vendor. Be sure you understand the expected response times provided by the vendor customer support team. 
  • How do other organizations experience customer support from your key management vendor? Be sure to talk to reference accounts who use the key management product and who have interact- ed with the vendor’s customer support team.
New Call-to-action

Topics: Encryption, Key Management, cloud

Data Protection in the Cloud & PCI DSS - Logs and Log Monitoring (Part 3)

Posted by Patrick Townsend on Mar 18, 2015 9:16:00 AM

This is the third part in our series looking at recent announcements by Amazon, Microsoft and other cloud service providers regarding new encryption and key management services. Let’s talk about log collection and active monitoring as a security best practice, and as a requirement to meet PCI DSS security requirements. Since the PCI DSS guidelines implement common security best practices, they are a good starting point for evaluating the security of any application and platform that processes sensitive data. Following the practice of the first part of this series we will use the PCI document “PCI DSS Cloud Computing Guidelines, Version 2.0” as our reference point, and add in some other sources of security best practices. Even if you don’t have to meet PCI data security requirements, this should be helpful when evaluating your security posture in the cloud.

Download Whitepaper on PCI Data Security

Collecting system logs and actively monitoring them is a core component of every cyber security recommendation. Cybercriminals often gain access to IT systems and go undetected for weeks or months. This gives them the ability to work on compromising systems and stealing data over time. Active monitoring is important in the attempt to detect and thwart this compromise.

Here is what PCI says about active monitoring in Section 10 of the PCI DSS (emphasis added):

Review logs and security events for all system components to identify anomalies or suspicious activity.

Many breaches occur over days or months before being detected. Checking logs daily minimizes the amount of time and exposure of a potential breach. Regular log reviews by personnel or automated means can identify and proactively address unauthorized access to the cardholder data environment. The log review process does not have to be manual. The use of log harvesting, parsing, and alerting tools can help facilitate the process by identifying log events that need to be reviewed.

In recognition of the importance of ongoing, active monitoring the National Institute of Standards and Technology (NIST) provides this guidance in their Special Publication 800-137 “Information Security Continuous Monitoring (ISCM)” guidance:

The Risk Management Framework (RMF) developed by NIST, describes a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. Ongoing monitoring is a critical part of that risk management process. In addition, an organization’s overall security architecture and accompanying security program are monitored to ensure that organization-wide operations remain within an acceptable level of risk, despite any changes that occur. Timely, relevant, and accurate information is vital, particularly when resources are limited and agencies must prioritize their efforts.

And active monitoring is a component of the SANS Top 20 security recommendations:

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

Deficiencies in security logging and analysis allow attackers to hide their location, malicious software, and activities on victim machines. Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible.

Because of poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing, even though the evidence of the attack has been recorded in unexamined log files.

Deploy a SIEM (Security Incident and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis.

This is why actively collecting and monitoring system and application logs is critical for your security strategy.

Implementing this critical security control in a cloud environment presents some special challenges. Here is what the PCI cloud guidance says:

Additionally, the ability to maintain an accurate and complete audit trail may require logs from all levels of the infrastructure, requiring involvement from both the CSP and the client. For example, the CSP could manage system-level, operating-system, and hypervisor logs, while the client configures logging for their own VMs and applications. In this scenario, the ability to associate various log files into meaningful events would require correlation of client-controlled logs and those controlled by the CSP.

It is not enough to collect logs from a few selected points in your cloud application environment. You need to collect all of the logs from all of the components that you deploy and use in your cloud application. This is because the effectiveness of active monitoring depends on the correlation of events across your entire application, database, and network and this includes the cloud providers systems and infrastructure. Here is what ISACA says about security event correlation:

Correlation of event data is critical to uncover security breaches because security incidents are made up of a series of events that occur at various touch points throughout a network--a many-to-one process. Unlike network management, which typically is exception-based or a one-to-one process, security management is far more complex. An attack typically touches a network at multiple points and leaves marks or breadcrumbs at each. By finding and following that breadcrumb trail, a security analyst can detect and hopefully prevent the attack.

Your encryption key management system is one of those critical system components that must be monitored and whose events should be aggregated into a unified view. Key management logs would include encryption key establishment and configuration, encryption key access and use, and operating system logs of every component of the key management service. You should be able to collect and monitor logs from all parts of your applications and cloud platform.

Unfortunately, current key management services from cloud providers only provide a very limited level of access to critical component logs. You might have access to a limited audit trail of your own access to encryption keys, but no access to the key service system logs, HSM access logs, HSM audit logs, or HSM operating system logs. Without access to the logs in these components it is not possible for you to implement an effective log collection and active monitoring strategy. You are working in the dark, and without full access to all logs on all components of your cloud key management service you can’t comply with security best practices for log collection, correlation, and active monitoring.

Since key management systems are always in scope for PCI audit and are extensions of your application environment it is difficult to see how these new cloud key management services can meet PCI DSS requirements for log collection and monitoring as currently implemented.

Does this mean you can’t implement security best practices for key management in the cloud? I don’t think so. There are multiple vendors, including us (see below), who offer cloud key management solutions that provide full access to key management, configuration, key usage, application, and operating system logs.  You can deploy a key management service that fully supports security best practices for log collection and monitoring.

In part 4 of this series we’ll look at the topic of key custody and multi-tenancy and how it affects the security of your key management solution in the cloud.



Alliance Key Manager for AWS

Alliance Key Manager for Azure

Alliance Key Manager for VMware and vCloud

Alliance Key Manager for Drupal


download the Whitepaper: Meet the Challenges of PCI Compliance

Topics: PCI DSS, Amazon Web Services (AWS), logging, cloud, Microsoft Azure

Data Protection in the Cloud & PCI DSS - Segmentation (Part 2)

Posted by Patrick Townsend on Mar 9, 2015 2:53:00 PM

This is the second part in our series looking at recent announcements by Amazon, Microsoft and others regarding new encryption and key management services. Let’s talk about the concept of segmentation as a security best practice, and as a strong recommendation by PCI DSS security standards. Since the PCI DSS guidelines implement common security best practices they are a good jumping off point for evaluating the security of any application and platform. Following the practice of the first part of this series we will use the PCI document “PCI DSS Cloud Computing Guidelines, Version 2.0” as our reference point. Even if you don’t have to meet PCI data security requirements, this should be helpful when evaluating your security posture in the cloud.

Download Whitepaper on PCI Data Security

Segmentation as a security concept is very simple and very fundamental. Better security can be achieved by not mixing trusted and untrusted applications, data, and networks. This concept of trusted and untrusted applications extends to the value of the data assets – when applications process highly sensitive and valuable data assets they need to be separated into trusted and secure environments. We expend more effort and resources to protect what is valuable from criminals. Conversely, when there are no valuable data assets in an environment there is no need to take the same level of effort to secure them.

This is the core reason that PCI DSS recommends segmentation of applications that process payments from non-payment applications. Here is what PCI says about non-cloud applications:

Outside of a cloud environment, individual client environments would normally be physically, organizationally, and administratively separate from each other.

So, how do the PCI DSS security requirements relate to cloud platforms? Here is what PCI says (emphasis added):

Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation. Mechanisms to ensure appropriate isolation may be required at the network, operating system, and application layers; and most importantly, there should be guaranteed isolation of data that is stored.

Proper segmentation is difficult to achieve even when you have complete control over all aspects of your environment. When you add the inherently shared and multi-tenant architecture of cloud platforms this becomes a high hurdle to get over. Here is what PCI says about this challenge:

Client environments must be isolated from each other such that they can be considered separately managed entities with no connectivity between them. Any systems or components shared by the client environments, including the hypervisor and underlying systems, must not provide an access path between environments. Any shared infrastructure used to house an in-scope client environment would be in scope for that client’s PCI DSS assessment.

This brings us exactly to the concern about new cloud key management services in Azure and AWS. These new services are inherently multi-tenant in both the key management services down to the hardware security modules (HSMs) that provide the ultimate security for encryption keys. You have no idea who you are sharing the service with.

The PCI guidance tells us what this segmentation looks like in a cloud environment:

A segmented cloud environment exists when the CSP enforces isolation between client environments. Examples of how segmentation may be provided in shared cloud environments include, but are not limited to: 

  • Traditional Application Service Provider (ASP) model, where physically separate servers are provided for each client’s cardholder data environment.
  • Virtualized servers that are individually dedicated to a particular client, including any virtualized disks such as SAN, NAS or virtual database servers.
  • Environments where clients run their applications in separate logical partitions using separate database management system images and do not share disk storage or other resources.

There is no cloud service provider implementation of key management services that meet these basic requirements.

The PCI DSS guidance takes a pretty strong view about inadequate segmentation in cloud environments:

If adequate segmentation is not in place or cannot be verified, the entire cloud environment would be in-scope for any one client’s assessment. Examples of “non-segmented” cloud environments include but are not limited to:

  • Environments where organizations use the same application image on the same server and are only separated by the access control system of the operating system or the application.
  • Environments where organizations use different images of an application on the same server and are only separated by the access control system of the operating system or the application.
  • Environments where organizations’ data is stored in the same instance of the database management system’s data store.

Since key management systems are always in scope for PCI audit and are extensions of your application environment and depend entirely on the access control system of the cloud provider, it is difficult to see how these new cloud key management services can meet PCI DSS requirements as currently implemented.

Here’s the last comment by PCI on segmentation in cloud environments:

Without adequate segmentation, all clients of the shared infrastructure, as well as the CSP, would need to be verified as being PCI DSS compliant in order for any one client to be assured of the compliance of the environment. This will likely make compliance validation unachievable for the CSP or any of their clients.

Does this mean you can’t implement security best practices for key management in the cloud? I don’t think so. There are multiple vendors including us (see below) who offer cloud key management solutions that we believe can be effectively isolated and segmented on cloud platforms, or even hosted outside of the cloud.

In our part 3 of this series we’ll look at the topic of logging and active monitoring and how it affects the security of your key management solution in the cloud.



Alliance Key Manager for AWS

Alliance Key Manager for Azure

Alliance Key Manager for VMware and vCloud

Alliance Key Manager for Drupal

Alliance Key Manager for IBM Power Systems

Alliance Key Manager Cloud HSM

download the Whitepaper: Meet the Challenges of PCI Compliance


Topics: PCI DSS, Encryption Key Management, cloud

Three Features That Enable Easier Encryption & Key Management

Posted by Liz Townsend on Mar 20, 2014 2:39:00 PM

In light of the recent, massive Target data breach, and the fact that Target had passed a PCI DSS audit yet lacked proper security controls, many organizations are searching for stronger data security. Using encryption to protect sensitive data should be considered a top priority for organizations that want to protect themselves from a potential data breach. Strong, defensible encryption used in conjunction with strong key management and a system logging solution can enable a business to catch a breach in real time when it happens, and know that any sensitive data that has been accessed is undecipherable by the attacker. Even with sophisticated and expensive malware detection software, the only way to secure the breach and avoid breach notification is with encryption and encryption key management.

Click to request the webinar: Encryption & Key Management Everywhere Your Data Is Few organizations are aware of the extreme criticality of encryption and key management, and for the ones that are aware, many still consider encryption a last-effort solution and grapple with its reputation for being difficult and costly. Encryption and encryption key management can be difficult and costly; however, it doesn’t need to be. Different encryption key management vendors offer varying features and applications as well as pricing structures, and finding a solution that can integrate easily into your IT infrastructure is an achievable task. The key is to look for specific features that increase ease of use while decreasing costs.

  1. Easy to use client side applications - A security expert and developer once said to me, “People say a lot of things aren’t ‘rocket science,’ but encryption key management is like ‘rocket science’. This is why businesses very rarely develop their own encryption and key management solutions internally. How easy an encryption key management vendor makes their solution to use is a major factor of a purchasing decision. If encryption is going to become as widely used as it needs to be, the client-side applications that manage encryption keys must be usable and intuitive to the average security administrator.
  2. Scalable pricing structure - Scalability results in affordability. Not every company can invest in millions of dollars of malware detection and security consultants, and we’ve found out that the companies who can afford those services still have data breaches. Data breaches don’t discriminate, which is why encryption and key management solutions must be affordable for organizations, regardless of size. Five years ago, the only encryption key management solutions available were very expensive hardware solutions. Many vendors charge extra fees per network connection, which is neither an easy or scalable solution for companies that are growing. These hardware security modules (HSMs) are still widely used and preferred by businesses with a low tolerance for security risk, but many are turning to newer cloud solutions that offer the same certified technology with a lower price tag.
  3. Cloud compatibility - Moving applications and data centers to the cloud is a natural step for organizations attempting to consolidate their IT infrastructures and lower operational costs. Security, however, remains the number one concerned for the cloud--a multi-tenant environment that shares resources with other users. Encryption and key management is essential to protecting any sensitive data processed or stored cloud applications or databases, and cloud-based or hosted solutions are readily available. Just remember that your key management solution must be FIPS 140-2 compliant and not share services with other users in order to be compliant with most data security regulations.

Encryption and encryption key management are essential, proactive technologies that help organizations remain intact in the event of a data breach. Look for these three features in a certified solution to protect yourself and your customers.

Townsend Security’s FIPS 140-2 compliant “one-click” ready-to-use key management solutions enable cloud users to easily protect their data in the cloud or data center at an affordable price. Learn more by viewing the webinar, “Encryption & Key Management Everywhere Your Data Is,” featuring data security expert Patrick Townsend.

Request the webinar: Encryption & Key Management Everywhere Your Data Is

Topics: Encryption, Encryption Key Management, cloud, Cloud Security

Encryption & Key Management Everywhere You Need It

Posted by Michelle Larson on Mar 11, 2014 3:07:00 PM

Wherever your sensitive data resides - client side applications, secure data centers, or in the cloud - Encrypt it!

Click to request the webinar: Encryption & Key Management Everywhere Your Data Is “Sensitive data” is not just credit card numbers and expiration dates anymore.  Because of recent data breaches, we know that loyalty information like names, e-mail, physical addresses, phone numbers; personal data like birthdate, social security number... so much information today... now constitutes what we call personally identifiable information (PII) and must be properly protected with encryption no matter it is stored.

When it comes to protecting data, look to well-defined industry standards for an encryption algorithm that is reviewed and vetted by cryptographers around the world. Advanced Encryption Standard or AES is the most commonly used encryption algorithm to protect sensitive data. Validated by the National Institute of Standards and Technology (NIST), this standard is referenced in a wide variety of compliance regulations either as a requirement or as a recommendation. However, the AES algorithm is not the secret that we have to defend. Think of encryption as the lock that you put on your front door, and the encryption key is your house key. You don’t tape your house key right next to the lock when you leave in the morning, you take it with you and you protect it from loss or theft. Your unique encryption key is THE secret that you must protect, which can be accomplished using a secure, certified key management solution. Getting encryption key management right is in fact the biggest challenge customers and organizations run into when they start their encryption projects.

When you look at what it takes to properly protect sensitive data with encryption, you immediately find standards (NIST) & best practices for key management, and industry compliance regulations (PCI DSS, HIPAA/HITECH, FFIEC, and state privacy laws) that require proper key management. They all say the same thing: “Do Not Store the Encryption Key on the Same Server as the Encrypted Data”.

Encryption key management is a well-defined process with standards and best practices around managing encryption keys and a formal definition of the encryption key lifecycle.  

Encryption Key Life Cycle Graphic by Townsend Security
When an encryption key is first generated, or established, it may not be used for some time so it waits in a pre-activation status until it is being actively used.  The key will expire after use or based on a set definition and then will go into escrow after post-activation. After that period, the key is generally destroyed.

One way to destroy data is to destroy the encryption key that's protecting it, because if the key is not recoverable neither is that data. Auditors will want to know if you have a process for managing the encryption key through the entire lifecycle, and this is one of the things that a key management solution does for you in a provable way.  Beyond the encryption key lifecycle, the key management solution provides access controls for users and groups, in-depth audit trails and system logging with the ability to integrate across multiple platforms, and they must implement a mechanism for dual control and separation of duties to really meet compliance regulations as well as defensible security best practices.

It is also very important for an encryption key manager to provide the option of onboard encryption. The core function of the encryption key management solution is to generate, protect, and distribute encryption keys to authenticated users. If you have a web application or a more exposed cloud environment, retrieving an encryption key may seem risky to you in terms of having that key in your operating environment. With an onboard encryption solution you can send your data to the key manager, name a key, and get that data encrypted or decrypted strictly within the confines of that key management solution. Avoiding the risk of losing encryption keys in a more exposed environment is an important component in a compliance strategy.

Even 10 years ago, encryption key management solutions were very expensive specialized hardware devices and very difficult and time consuming projects. Thankfully, encryption and key management is no longer the development or cost headache it once was. Since IT infrastructures have become very complex environments using different technologies and platforms (60% of Microsoft SQL Server customers are also running Oracle someplace in the organization), a key management solution also needs to address these complexities and protect data wherever it may be. There are still hardware security modules (HSMs) and now there are new options for deployment of cloud-based HSMs, virtual appliances, and true cloud instances of encryption and key management.

Hardware Security Module (HSM) is a physical appliance or security device that is protected and tamper evident. Built for high resiliency and redundancy it has hot swappable rated disc drives, dual power supplies, dual network interfaces, and is deployed in your IT data center.

Cloud HSM is a physical appliance hosted in a secure cloud with real-time encryption key and access policy mirroring.  Dedicated HSMs are hosted in geographically dispersed data centers under an ITIL-based control environment and are independently validated for compliance against PCI DSS and SOC frameworks. No access is available to the cloud vendor or any unauthorized user.

Virtual Appliances are the exact same key management solution - the same binary software that runs inside the hardware HSM - available as a VMware instance.

In the Cloud - If you're running on Microsoft Windows Azure or vCloud, the encryption key manager can run as a true cloud instance in a standard cloud or deploy in a virtual private cloud for added data protection for sensitive applications.

Because encryption and key management is so important, we offer all of the options listed above as NIST validated and FIPS 140-2 compliant solutions. We also want to make sure encryption is available everywhere you need it, so at Townsend Security we have a very different philosophy and approach:

  • We think that when you buy an encryption key manager, you should be able to easily deploy the solution, get all your encryption projects done properly, and have very affordable and predictable costs.

  • We understand that we live in a world where budget matters to our customers, so we do not charge client-side fees.  

  • We understand that IT resources are limited and have done a huge amount of work to make our solutions easy with out-of-the-box integrations, simplified deployments, and also provide along with our solution ready-made client-side applications, encryption libraries, source code samples, as well as SDKs for developers who need them to get their projects done very quickly.

To learn more about key management and how to properly encrypt sensitive data anywhere you store it, download our latest webinar featuring data security expert Patrick Townsend:

Request the webinar: Encryption & Key Management Everywhere Your Data Is

Topics: Encryption, HSM, Encryption Key Management, cloud, Virtualized Encryption Key Management, Webinar

Encryption Key Management Options: Hardware, Virtualized, and Cloud… Oh My!

Posted by Michelle Larson on Jan 9, 2014 2:39:00 PM

With encryption and key management now being offered on a variety of hardware, virtualized, and cloud platforms, is it simply just a matter of preference or is one option better for you than another?  

Listen to the Podcast on Key Management Options Companies of all sizes now have options for securely protecting sensitive data using the appropriate security technology for their situation and industry regulations. Being responsible for the safekeeping of sensitive data like credit cards, social security numbers, or e-mail addresses, makes your encryption and key management strategy critically important. Once your sensitive data is encrypted, key managers are the specialized security devices that are designed to safeguard your encryption key (which is the secret that must be protected). Before deciding on how an enterprise should deploy an encryption key manager there are several questions to ask and factors to consider.

What different device options are available to organizations needing an encryption key manager?

Hardware Devices
Today we have many options for key management solutions, including the traditional key management hardware security module (HSM), which is now more cost effective and easy to deploy than it was even five years ago. HSMs are network attached in your data center and accessed when encryption keys are needed. If your company has a physical data center and the infrastructure to support it, an HSM can still be your most secure option.

Cloud-hosted HSM
The cloud-hosted key management HSM functions in much the same way as the traditional security device. However, you do not need to have the infrastructure of a physical data center in order deploy or maintain the cloud-based HSM since it is hosted by the cloud hosting provider.  Be aware of your cloud environment (is it shared or private?), and make sure to choose an option that provides real-time mirroring and redundant backups in geographically diverse locations.

Virtualization Options
Additionally it is now possible to deploy virtualized key management appliances. There is no hardware when you deploy a VMware or Hyper-v or Xen virtualized appliance inside your own virtualization infrastructure. A true cloud-based key management solution like VMware gives you a path to run key management solutions in vCloud either as standard cloud instance or virtual private clouds. Microsoft Azure and Amazon Web Service and other cloud platforms provide a mechanism for deploying virtualized key management appliances too.

What are some factors people need to consider when deciding which key management option is right for their organization?

Risk Tolerance
Risk tolerance is perhaps the main driving force for which of the key management options you might choose. If you're very risk-averse then probably you will want to deploy a hardware security module (HSM) in your own data center.  If you have a moderate level of risk tolerance  you might consider a cloud-based HSM hosted by a cloud vendor with appropriate security technology. A company dealing with small amounts of data might bear some additional risk and use a key management solution to help protect encryption keys in a virtual environment. Cloud or virtual solutions can be much more cost-effective and give enough protection for encryption keys to meet a lower risk tolerance level.

Compliance Regulations
Most compliance regulations give clear guidance on best practices about where encryption key management can and should run. Generally speaking, regulations are based on your industry and what type of sensitive data you store. 

PCI Security Standards Council has issued Cloud Computing Guidelines as well as guidance around virtualization of data protection solutions, so you can be PCI compliant with a cloud-based key management and encryption solution.

Cloud Security Alliance (CSA) has issued good guidance around key management and cloud environments - version 3.

Other regulations are not yet providing concrete guidance,and in some cases it is best to confirm with qualified auditors and assessors to really understand whether or not you can be in compliance and deploy true cloud-based virtualized key management solutions.

Your key management options are also based on where your data is stored. If you don't have a traditional data center, for example if you are using a software as a service (SaaS) solution, you may not have your own IT infrastructure or personnel with which to deploy a traditional encryption key management HSM internally. So the physical and organizational structure will come to bear in terms of the choices that you have around deploying key management.

Budget is always an important factor. As you consider various options, ask about endpoint licensing fees and make sure you have predictable maintenance costs as more databases/applications request key access. Remember to consider the costs of not properly managing sensitive data when doing the security cost benefit analysis.

Whatever option you choose, it is always wise to use key management best practices:

    • Always separate the encryption keys from the protected data
    • Use dual control
    • Practice separation of duties
    • Manage key rotation
    • Look for NIST validations like FIPS 140-2

Please download our most recent podcast on Encryption Key Management Options to hear more about how to meet the challenges of running cloud or virtual applications where implementations are inherently shared, multi-tenant environments!

Listen to the Podcast on Key Management Options

Topics: Alliance Key Manager, HSM, Hosting, Encryption Key Management, cloud, Virtualized Encryption Key Management, Podcast, Alliance Key Manager Cloud HSM, Choosing Solution

Encryption Key Management in the Cloud

Posted by Michelle Larson on Nov 6, 2013 1:15:00 PM

What to look for in a Cloud HSM solution

With the latest advances in encryption technology, organizations are now able to protect sensitive data with encryption key management in the cloud. The lower costs for maintenance and software (on the operational side) makes the cloud an attractive place for companies to move their data centers and for technology companies to deploy their applications. Encryption Key Management in the Cloud However, these multi-tenant cloud environments provide some real challenges in terms of protecting data from exposure and meeting special requirements in terms of security. In traditional IT data center environments you would normally place a hardware security module (HSM) key management device directly into your rack. However, traditional encryption key management systems don’t function well in cloud environments, and often companies moving to the cloud don’t have a traditional IT infrastructure. This creates new issues and challenges for administrators to provide the level of security for encryption keys needed to protect data and meet compliance regulations. When considering the move of your data to the cloud, think about whether or not you will have:


When it comes to encryption key management, only you should have access to encryption keys that protect your data. When you consider a Cloud HSM, be sure to ask if the cloud provider will have access to the HSM and your keys. The answer may surprise you! Because the encryption keys are the “secret” that protects your sensitive information, no one else should have access to your data encryption keys or to the systems that protect those keys. This is the same rule that applies in a traditional IT infrastructure and needs to be followed when you deploy data protection in a cloud environment. Not only is it a compliance requirement to protect encryption keys, but using a secure HSM is a security best practice.


HSMs are a vital part of any data protection strategy. Encryption key managers that serve for protecting data in the cloud need to be fully under your control. To make sure that you have proper controls, your key management solution should be:

  • Segmented from your cloud data
  • Independent of your cloud vendor
  • Able to meet the highest level of security requirements
  • Designed to follow encryption key management system best practices


With an encryption key management and HSM solution that's protecting data in the cloud it matters where your key managers are located. If you're deploying a solution that is proprietary to your cloud vendor, your keys are locked into that cloud vendor and if you move your data, you can’t access or move your encryption keys. You also want to make sure your cloud vendor has no administrative access to that key manager. Fundamental things to think about when you deploy a key management solution:

  • Are you a locked into that cloud platform?
  • Do you have full and exclusive control of your keys?

Compliance regulations are very explicit about protecting sensitive data with proper encryption key management, and recommend good key management practices as a core principle. When you move to the cloud, you don’t automatically have that level of security for your data.  To meet PCI-DSS requirements for protecting credit card information you should really look at the PCI-Data Security Council - Cloud Computing Guidelines as well as their guidance around virtualization since cloud environments are virtualized environments.

Excerpt from PCI-DSS Cloud Computing Guidelines - Executive Summary:

“Cloud computing is a form of distributed computing that is yet to be standardized. There are a number of factors to be considered when migrating to cloud services, and organizations need to clearly understand their needs before they can determine if and how they will be met by a particular solution or provider. As cloud computing is still an evolving technology, evaluations of risks and benefits may change as the technology becomes more established and its implications become better understood.

It’s important to note that all cloud services are not created equal. Clear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirement.”

It is also important to look at the Cloud Security Alliance recommendations for cloud security - version 3. Whether you are a cloud vendor or a cloud user, the CSA provides very practical and straightforward guidance on security in the cloud environment. In order to properly secure and protect vital information, you need to understand the security posture of your cloud provider. Don't be satisfied with general statements about security, look for external audits and regular expressions of compliance reviews so you know for sure that you're truly covered. Be sure your encryption keys are in geographically dispersed data centers under an ITIL-based control environment independently validated for compliance against PCI DSS and SOC frameworks to properly manage risk.

Please download our latest Podcast “Encryption Key Management in the Cloud” which covers these topics in greater depth and also talks about how organizations deal with High Accessibility (HA) and Disaster Recovery when their HSM is in the cloud. The podcast will also cover our new Alliance Key Manager Cloud HSM solution that lets you protect data in Amazon Web Services, in Microsoft Azure, Rack-Space, or any cloud environment where you deploy data.

Encryption Key Management in the Cloud

Have questions or concerns about data security in the cloud?  Please leave a comment here and we will get right back to you!

Topics: Encryption Key Management, cloud, Virtualized Encryption Key Management, Podcast, Alliance Key Manager Cloud HSM

Encryption Key Management HSMs in the Cloud

Posted by Patrick Townsend on Oct 14, 2013 8:53:00 AM

It’s truly fascinating to watch one of the great technology paradigm shifts, isn’t it? We now take for granted that the applications we use run in the cloud and organizations are moving applications to the cloud as quickly as possible. It’s an amazing transformation of how technology is delivered to consumers and organizations of all types.

Resource Kit: Key Management in the Cloud In this midst of this transformation and migration to the cloud, one issue remains at the top of everyone’s mind: Security.

Protecting sensitive data in the cloud has all of the same challenges as protecting data in on-premise IT infrastructure, and some new challenges as well. For example, when you use encryption to protect your data assets, security best practices say that you should use encryption key management hardware security modules (HSMs) to protect encryption keys. But where does this critical security device reside when your applications live in the cloud?

Our new Alliance Key Manager Cloud HSM solution is designed to answer this question. Starting today, we now offer our FIPS 140-2 compliant encryption key management HSM in the cloud. Cloud application vendors and cloud users can now get the best encryption key management without having to deploy HSMs in their own data center.

Here are a few highlights of our new offering:

  • Alliance Key Manager HSMs in a secure cloud platform
  • PCI-DSS and SOC validated secure physical infrastructure
  • Only you have access to your key managers - no cloud provider access or administration is allowed
  • Production and HA key servers always included
  • Real-time key server mirroring with geographic, network, and power redundancy
  • Server monitoring and notification included with the license
  • Client-side encryption applications at no additional charge. Quickly and easily protect SQL Server, Oracle, MySQL and other databases.
  • Cloud provider independence - you control your cloud provider choices
  • Affordable options for perpetual and subscription licensing
  • No set up fees through December 31, 2013!

I am proud of our leadership in encryption key management for enterprises large and small. This is the first cloud HSM offering that gives you exclusive control over your key management strategy and independence from your cloud provider.

Here at Townsend Security we are dedicated to making the best possible data protection easy-to-use and affordable for every size organization. If you thought that good encryption key management was out of reach, let us show you a new way forward. Evaluations are fast, easy, and free.


Key Management in the Cloud Resource Kit

Topics: Alliance Key Manager, Encryption Key Management, cloud

Protecting Your Data in the Microsoft Windows Azure Cloud

Posted by Patrick Townsend on Mar 22, 2013 9:31:00 AM

I’m often asked if we can protect sensitive data in the Microsoft Windows Azure cloud. The answer is YES, and I’ll try to summarize our support on the different flavors of Windows Azure here:

First, Windows Azure has both a Platform-as-a-Service offering (PaaS) to run applications and store data in SQL Azure, and an Infrastructure-as-a-Service (IaaS) offering that allows you to run full Virtual Machines. Our data protection solutions run in all versions of Windows Azure – anywhere you run applications in Azure, we provide encryption and key management solutions to protect your data.

Windows Azure Platform-as-a-Service:

In this environment we provide .NET libraries that perform encryption key retrieval from our Alliance Key Manager, a FIPS 140-2 certified key management HSM. Any data store you choose for your sensitive data is supported by our client libraries and include SQL Azure. Our .NET software libraries are add-ins to your Visual Studio project and let you seamlessly retrieve encryption keys from the HSM. 

Windows Azure Infrastructure-as-a-Service: 

In this environment we provide a broad set of data protection solutions for both Microsoft and non-Microsoft operating systems and applications. These include the following:

Microsoft SQL Server Extensible Key Management (EKM)

The Townsend Security EKM Provider software fully supports SQL Server Transparent Data Encryption (TDE) and Cell Level Encryption integrated with Townsend Security's Alliance Key Manager key server, a FIPS 140-2 certified HSM. Because no code or database application changes are required, TDE encryption is the fastest path to compliant data protection.

Microsoft SQL Server Standard and Web Editions

Many Microsoft customers use SQL Server Standard or Web editions in the Azure cloud. These editions of SQL Server do not support EKM and TDE. For these versions of SQL Server Townsend provides .NET software libraries to implement automatic column level encryption using SQL Views and Triggers.

Microsoft SharePoint

Microsoft SharePoint provides a user-friendly collaboration platform for sharing documents, spreadsheets, and other files. When you need to protect sensitive information in SharePoint documents, Townsend provides TDE encryption of the SharePoint database, and full encryption for files stored in Remote Blob Storage (RBS). All document information and document files are encrypted with 256-bit AES encryption using the Alliance Key Server HSM. ** 

Microsoft Dynamics CRM, GP, AX, etc.

Microsoft customers using the popular Dynamics applications need to protect customer and employee information stored in these applications. Townsend Security's SQL Server TDE software provides full application data encryption and integrates with their Alliance Key Manager HSM. 

.NET applications

Many Microsoft users create custom applications using a variety of Microsoft technologies. For customers developing applications in any .NET language such as C#, VBNET, and so forth, Townsend provides .NET software libraries to perform encryption key retrieval and encryption. These libraries support the protection of unstructured data and purpose-built applications that need encryption support.

Non-Microsoft databases, languages, and operating systems

Townsend supports a wide variety of non-Microsoft databases, languages and operating systems in Windows Azure. You can use Oracle Database, MySQL, and other commercial and open source databases on Azure. Townsend provides appropriate client-side libraries to help you protect data. Townsend also provides a rich set of language libraries to help you achieve your data protection goals. Language support includes Java, Perl, PHP, Python, C/C++, and others. And these work in other operating systems supported by Windows Azure such as Linux.

At this point I hope you are getting the idea that we can help you with any of your data protection needs in the Microsoft Azure cloud. With key management solutions on hardware HSMs, hosted facilities, and VMware platforms, I think we’ve got your back when it comes to Azure data protection. 



** RBS encryption available in late 2013.

Topics: Encryption Key Management, cloud, Microsoft Windows Azure

How to Prevent a Data Breach in the Cloud

Posted by Liz Townsend on Mar 4, 2013 11:27:00 AM

Video: Encryption Key Management for the Cloud

encryption key management cloud

Click Here to View Now

When it comes to data security, the question every single CEO and CISO should be asking her or himself is, "how do I prevent a data breach from happening to me?"

I recently sat down with data security expert Patrick Townsend, founder and CEO of Townsend Security to discuss the challenges around protecting sensitive data in the cloud and the most common methods of how people are protecting data in the cloud today.

Watch the video of that discussion here.

We live in a word today where data breaches are no longer a matter of "if" but "when." It is almost certain that some unauthorized person will at some point access your company's sensitive data, either by mistake, or with malicious intent to commit fraud. Whether it's by accident or intentional, unauthorized access of unencrypted sensitive data is usually grounds for data breach notification.

With so many companies moving their data storage to the cloud, preventing a data breach or unauthorized access to sensitive data becomes even trickier. Across the board, the number one concern people have with the cloud is data security. Because the cloud is fundamentally a shared environment in a location most users don't typically have physical access to, people are right to wonder, "Am I inadvertently sharing data with other people, and I don't know it?"

The truth is, in the cloud it's really hard to tell who you may inadvertently be sharing data with. That's why in order to prevent a data breach and avoid data breach notification it's critical to encrypt your sensitive data in the cloud, and you must use key management best practices. In fact, the concepts of protecting data in the cloud are fundamentally the same as protecting data outside of the cloud. You must (in review):

1. Encrypt the data
2. Use key management best practices to protect encryption keys

Using key management best practices for data in the cloud is fundamental, especially if you need to pass compliance regulations such as PCI-DSS, FFIEC, or FISMA.

As you'll learn in the video, there are really three ways to protect keys for encrypted data in the cloud:

1. Store the keys "in-house"
2. Store the keys in a hosted environment
3. Store the keys in the cloud

All three methods have their own advantages. But there are also ways with each method  to incorrectly protect encryption keys. In the end, it's essential that you use key management best practices, and often times the easiest way to make sure you're doing that is by using an third party vendor with expert knowledge of key management best practices for the cloud.

Check out "Encryption Key Management for the Cloud" where Patrick Townsend discusses the challenges and solutions for protecting encryption keys.

Topics: Data Privacy, Encryption Key Management, cloud