As we discussed in the webinar and latest blog on Encryption & Key Management Everywhere You Need It, sensitive data needs to be protected wherever it resides!  

Proper encryption & key management can help you meet compliance requirements, and improve your data security posture across multiple platforms or environments. After the webinar, we had a number of questions asked by attendees and answered by security expert Patrick Townsend. Here is a recap of that Q&A session:

Q: Is there any limit to the number of servers that I can hook up to your encryption key manager?

Patrick: There are no restrictions, and no license constraints on our encryption & key management solution. We don't meter or count the number of client-side platforms that connect to our Alliance Key Manager, so you can hook up as many client side applications, servers, and processors as you need to. This is one of the things I think is different about how we approach encryption and key management with our customers. We also know the applications you are running today may not be the applications you need to be running tomorrow and we really want you to deploy encryption to all your sensitive data and scale up when & where you need it.

Q: With the various platforms that I can deploy an encryption key manager in, how do I know which one is right for me?

Patrick: There are several factors that will come in to play when deciding where you deploy your key management:

Compliance regulations that you need to meet can be a factor in whether you deploy an Hardware Security Module (HSM) or a cloud HSM or a virtualized instance. If you are working with an auditor or going through a QSA audit, you'll want to have a conversation with them to understand their expectation from a compliance point of view around where you deploy your encryption key manager.

Risk tolerance will also come into play. You may have a security group within your organization with strong feelings about how to deploy encryption key management and how to mitigate risk. If you have large amounts of sensitive data to protect you might decide to deploy an HSM in your secure data center. If you're dealing with a very small amount of data and you do not process credit cards or personally identifiable information, your risk assessment may indicate a cloud deployment.

Budget is certainly always a factor to consider. It is important to consider the cost benefits of security however, we all understand that leaving our data in the clear is no longer an option. It is a matter of understanding your industry regulations and risk assessment, then deciding what encryption and key management to deploy.

While they are generally the most secure solution, Hardware Security Modules (HSMs) can be more expensive than a virtual environment, dedicated cloud instance, or virtual private cloud. Once you look at all the factors that affect your company, we will be there with the right solution that will work for your needs.

Q: Does Townsend Security provide guidance on how to get the best performance with my operating environment?

Patrick: Because every enterprise operational environment is different, we provide guidance around performance with our encryption key management solution. With every one of our solutions we offer complimentary 30-day product evaluations and encourage our customers to do proof of concepts with their applications. We are serious about making this process simple, and our customers can download the actual instance in evaluation mode, run it with their applications, test the actual solution, and truly evaluate performance in their specific environment. Performance metrics will be moderated by a number of factors within your specialized environment, your network, and your processing platform.

Q: I have data that needs to be encrypted in a cloud other than Amazon or Windows Azure, can your product help me with this?

Patrick: Yes, we can. First of all, following best practices, you want to keep your encryption keys separate from the data they are protecting. You may have data in a cloud platform, but choose to run your encryption key management solution in a different location or a virtual private cloud. Let’s say you want to run the key manager in a dedicated cloud HSM or even in your data center. Most top-tier cloud vendors truly support multiple environments for running key management, and we find that our solutions work well for customers who are running in the cloud.  We suggest you contact us and have a conversation about options and we can provide guidance about how to deploy a secure solution.

Q: How is Alliance Key Manager Priced?

Patrick:  We have a wide set of options for our customers, and are dedicated to helping find affordable solutions. We have perpetual license or subscription options for classic HSMs, Cloud HSM, and virtualized environments. Our cloud offerings are true usage-based subscriptions, so if you're used to deploying in Amazon Web Services or Windows Azure, our encryption & key management solutions will fit that same strategy for pricing.  

We really believe that the encryption should go everywhere you need it to go! Your key management should work across a wide set of application environments, and it must be affordable, so that we can all get where we need to be in terms of protecting sensitive data. Regardless of where your data is or what platform you are using, there's a solution that can work for you!

View the complete webinar - Encryption & Key Management Everywhere - to learn about:

• Deploying encryption and key management with an HSM, cloud HSM, virtual appliance or in the cloud
• How protecting data  properly is now easier and more affordable than ever
• Factors to consider when deciding which option is right for your organization
• What compliance regulations (PCI DSS etc.) say about the different options
• Challenges for applications running in the cloud or virtual environments

If you have further questions, please list them here in the comment section and we will be sure to get you an answer!

Wherever your sensitive data resides - client side applications, secure data centers, or in the cloud - Encrypt it!

“Sensitive data” is not just credit card numbers and expiration dates anymore.  Because of recent data breaches, we know that loyalty information like names, e-mail, physical addresses, phone numbers; personal data like birthdate, social security number... so much information today... now constitutes what we call personally identifiable information (PII) and must be properly protected with encryption no matter it is stored.

When it comes to protecting data, look to well-defined industry standards for an encryption algorithm that is reviewed and vetted by cryptographers around the world. Advanced Encryption Standard or AES is the most commonly used encryption algorithm to protect sensitive data. Validated by the National Institute of Standards and Technology (NIST), this standard is referenced in a wide variety of compliance regulations either as a requirement or as a recommendation. However, the AES algorithm is not the secret that we have to defend. Think of encryption as the lock that you put on your front door, and the encryption key is your house key. You don’t tape your house key right next to the lock when you leave in the morning, you take it with you and you protect it from loss or theft. Your unique encryption key is THE secret that you must protect, which can be accomplished using a secure, certified key management solution. Getting encryption key management right is in fact the biggest challenge customers and organizations run into when they start their encryption projects.

When you look at what it takes to properly protect sensitive data with encryption, you immediately find standards (NIST) & best practices for key management, and industry compliance regulations (PCI DSS, HIPAA/HITECH, FFIEC, and state privacy laws) that require proper key management. They all say the same thing: “Do Not Store the Encryption Key on the Same Server as the Encrypted Data”.

Encryption key management is a well-defined process with standards and best practices around managing encryption keys and a formal definition of the encryption key lifecycle.  

When an encryption key is first generated, or established, it may not be used for some time so it waits in a pre-activation status until it is being actively used.  The key will expire after use or based on a set definition and then will go into escrow after post-activation. After that period, the key is generally destroyed.

One way to destroy data is to destroy the encryption key that's protecting it, because if the key is not recoverable neither is that data. Auditors will want to know if you have a process for managing the encryption key through the entire lifecycle, and this is one of the things that a key management solution does for you in a provable way.  Beyond the encryption key lifecycle, the key management solution provides access controls for users and groups, in-depth audit trails and system logging with the ability to integrate across multiple platforms, and they must implement a mechanism for dual control and separation of duties to really meet compliance regulations as well as defensible security best practices.

It is also very important for an encryption key manager to provide the option of onboard encryption. The core function of the encryption key management solution is to generate, protect, and distribute encryption keys to authenticated users. If you have a web application or a more exposed cloud environment, retrieving an encryption key may seem risky to you in terms of having that key in your operating environment. With an onboard encryption solution you can send your data to the key manager, name a key, and get that data encrypted or decrypted strictly within the confines of that key management solution. Avoiding the risk of losing encryption keys in a more exposed environment is an important component in a compliance strategy.

Even 10 years ago, encryption key management solutions were very expensive specialized hardware devices and very difficult and time consuming projects. Thankfully, encryption and key management is no longer the development or cost headache it once was. Since IT infrastructures have become very complex environments using different technologies and platforms (60% of Microsoft SQL Server customers are also running Oracle someplace in the organization), a key management solution also needs to address these complexities and protect data wherever it may be. There are still hardware security modules (HSMs) and now there are new options for deployment of cloud-based HSMs, virtual appliances, and true cloud instances of encryption and key management.

Hardware Security Module (HSM) is a physical appliance or security device that is protected and tamper evident. Built for high resiliency and redundancy it has hot swappable rated disc drives, dual power supplies, dual network interfaces, and is deployed in your IT data center.

Cloud HSM is a physical appliance hosted in a secure cloud with real-time encryption key and access policy mirroring.  Dedicated HSMs are hosted in geographically dispersed data centers under an ITIL-based control environment and are independently validated for compliance against PCI DSS and SOC frameworks. No access is available to the cloud vendor or any unauthorized user.

Virtual Appliances are the exact same key management solution - the same binary software that runs inside the hardware HSM - available as a VMware instance.

In the Cloud - If you're running on Microsoft Windows Azure or vCloud, the encryption key manager can run as a true cloud instance in a standard cloud or deploy in a virtual private cloud for added data protection for sensitive applications.

Because encryption and key management is so important, we offer all of the options listed above as NIST validated and FIPS 140-2 compliant solutions. We also want to make sure encryption is available everywhere you need it, so at Townsend Security we have a very different philosophy and approach:

• We think that when you buy an encryption key manager, you should be able to easily deploy the solution, get all your encryption projects done properly, and have very affordable and predictable costs.

• We understand that we live in a world where budget matters to our customers, so we do not charge client-side fees.  

• We understand that IT resources are limited and have done a huge amount of work to make our solutions easy with out-of-the-box integrations, simplified deployments, and also provide along with our solution ready-made client-side applications, encryption libraries, source code samples, as well as SDKs for developers who need them to get their projects done very quickly.

To learn more about key management and how to properly encrypt sensitive data anywhere you store it, download our latest webinar featuring data security expert Patrick Townsend:

One of the big fears that companies have as they deploy encryption of sensitive data is that they might lose their encryption key and never be able to decrypt and recover their data. Having spent some of my career in IT management I certainly understand where this comes from. There is nothing like a corrupted backup to turn a good day into a bad one. The same is true if you lose your encryption key.

So how do we help make sure that our Alliance Key Manager solution running in Windows Azure protects you from this potential problem? Let’s look at all of the things we do in our key management solution, and the things you can do in Windows Azure:

Backup / Restore
The first line of defense is always to have a backup of your encryption keys and key access policies. Alliance Key Manager provides you with an option to securely back up your encryption keys, security policies, and server settings and to move this backup out of Windows Azure to your own secure storage. You can do a manual backup at any time, and you can automate the backups on a schedule that you define. You can even automate the transfer of the backups to an external FTP server using secure, encrypted transfer methods. Don’t have an FTP server to receive your backups? Don’t worry, we can provide you with one in our secure cloud facility.

Key and Policy Mirroring
The next line of defense is to implement real-time key and security policy mirroring from your primary Alliance Key Manager cloud instance to a failover key manager instance running in Windows Azure or to a key manager running outside of Windows Azure. Alliance Key Manager fully implements key mirroring over a secure, encrypted connection to one or more secondary key servers. The secondary key servers will contain exact copies of the encryption keys and their access policies, and will always be ready in the event your primary key server stops working. Alliance Key Manager supports Active-Active mirroring so that you will always have a full set of your encryption keys available to you even after a failover.

Windows Azure Availability Sets
Do you know about Windows Azure Availability Sets? This is a feature of Windows Azure to help you avoid unplanned outages due to failures of the cloud infrastructure or planned Windows Azure maintenance activities. We encourage our Windows Azure users to take advantage of Availability Sets when deploying a second Alliance Key Manager instance. It provides one more way to get the best reliability for your key management infrastructure in the Windows Azure cloud.

Mirroring Outside the Windows Azure Cloud
Lastly, if you are still worried about losing your encryption keys, you can always mirror the keys to a key manager located outside the Windows Azure cloud. You could mirror your keys to a physical key manager HSM located in your data center or the hosting provider of your choice. Or, you could mirror your encryption keys to a dedicated key manager in our cloud data center (see Alliance Key Manager Cloud HSM). Or, you can mirror your keys to a VMware or Hyper-V instance of Alliance Key Manager in your data center or the hosting provider of your choice.

Alliance Key Manager in Windows Azure goes the distance to help ensure that you never lose an encryption key. You might be losing sleep over your move to the cloud, but you shouldn’t lose sleep over your encryption strategy.

Patrick

On February 19th the University of Maryland disclosed to the public a data breach exposing over 300,000 records of students, faculty, and alumni including names, social security numbers, and dates of birth.

Universities and colleges using their website to communicate with students are aware of the fact that their website is a massive portal for student data. From the moment a potential student applies to a university through its website, up through each time a student submits financial and health information, thousands of personal records are being collected by the website and stored for internal use in databases.

Why is this data not being protected? That’s the big question asked by data security experts and concerned students alike, who are aware of the massive number of data breaches that occur yearly through websites. The information submitted on higher education websites includes nearly everything a hacker or malicious user wants including: home addresses, social security numbers, phone numbers, email addresses, passwords, parent names, credit card, and financial data. Many universities run teaching hospitals, not to mention their own student health services. Protected health information (PHI) entered through patient portals also poses a huge risk if the data isn’t protected.

This information should not only be encrypted to protect students, faculty, and patients alike, but it should be encrypted because the collection of financial data, credit card data, and PHI fall under industry regulations such as HIPAA/HITECH and PCI-DSS which require the encryption of this data.

Here’s the good news: Many college and university websites are built using the common content management system (CMS) Drupal. Drupal is one of the most widely used CMS platforms, and is used by both small start-ups and Fortune 100 enterprises. It is very commonly used for higher education sites. Drupal has a long history with addressing security in its modules, and in fact has even supported an Encrypt module to encrypt sensitive data. Although the Encrypt module made encrypting data easy for Drupal users, it lacked a very important component of successful encryption: encryption key management.

Encryption key management is the foundation of a successful encryption strategy. If the encryption key is stored locally with the encrypted data, then a hacker who gains access to the data can immediately decrypt the data, making the encryption useless. If the key is protected, away from the encrypted data, then the data remains safe, even if accessed by an attacker.

Ok, here’s the actual good news: Stronger encryption and encryption key management is now available for Drupal users. Chris Teitzel and Rick Hawkins, Drupal developers and owners of Cellar Door Media have recently teamed up with Townsend Security to create Key Connection for Drupal--a module that enables NIST-validated AES encryption and FIPS 140-2 compliant key management for data in Drupal.

Key Connection for Drupal offers these important features:

• Encryption anywhere you want it - The Key Connection for Drupal APIs allow developers to encrypt data and protect encryption keys anywhere data is collected in a website from student enrollment applications to student health service portals.
• Onboard encryption - While Drupal developers can still use the encrypt module to encrypt sensitive data, and protect the encryption keys to a cloud or physical key management module, they also have the option to do “onboard” encryption within the key manager using NIST validated AES encryption. This is a critical new feature for business who need to meet PCI-DSS compliance requirements.
• Multiple key management options - Developers can choose from multiple key management options from key management in the cloud to a physical hardware security module (HSM) that they can rack up in their own IT infrastructure. Townsend Security also offers virtual and hosted options.

To learn more about Key Connection for Drupal and how you can encrypt sensitive data in Drupal using NIST validated AES encryption and protection of encryption keys using FIPS 140-2 compliant key management, listen to the podcast featuring the Key Connection for Drupal developers.

Securing Sensitive Data in Drupal made possible through partnerships!

The Drupal content management system may have started-out in a dorm room, but it has become a very successful open source platform that is being adopted at the Enterprise level. Drupal is running everything from small business websites, universities, robust e-commerce environments, Fortune 100 sites, to projects like WhiteHouse.gov! As Drupal developers build out these large-scale installations, the need to keep them secure becomes more apparent due to the volume of information being collected. Sensitive data such as credit card numbers and protected health information (PHI) fall under industry data security regulations such as PCI-DSS and HIPAA/HITECH and must be encrypted. Requirements for protecting information go beyond just credit card numbers & expiration dates, but includes names, email addresses, ZIP codes, usernames, passwords… any stored data that can personally identify an individual.

Drupal developers and users who need to protect sensitive data know that storing encryption keys within the content management system puts data at risk for a breach, yet storing encryption keys locally in either a file protected on the server, in the database, or in the Drupal settings file has been the norm. None of these methods meet data security best practices or compliance regulations such as PCI DSS, HIPAA/HITECH, or state privacy laws.

While additional compliance regulations may apply depending on industry, this is a basic list of good practical guidance around web-based and virtual environments:

• PCI Security Standards Council (PCI SSC) has issued Cloud Computing Guidelines as well as guidance around virtualization of data protection solutions, so you can be PCI compliant with a cloud-based key management and encryption solution.
• The Cloud Security Alliance (CSA) has also issued good guidance around security in cloud environments in version 3 of their documentation (domain 11 applies to encryption and key management).
• National Institute for Standards and Technology (NIST) also has produced a guidance for security in cloud environments(NIST Special Publication 800-144) which provides excellent guidance for people looking to move into cloud platforms and protect data there.

The Drupal community collaborates to develop modules for the platform, sharing knowledge, experience, and creativity. The developers try to avoid duplicate functionality, so the existing Drupal Encrypt module was used as the first step to protecting sensitive data, however the plug-ins for the Encrypt module did not provide secure key retrieval options as the encryption keys were all still found within that same server. Security best practices tell us that personally identifiable information needs to be protected with industry standard AES encryption and that protecting the encryption key away from the data is critical. It became apparent that a key management system that was outside of the Drupal installation was required.

Working together to solve the Drupal data security problem, the security experts at Townsend Security and Drupal developers at Cellar Door Media have released the Key Connection for Drupal solution, which addresses the need for strong encryption and encryption key management within the Drupal framework. Now personally identifiable information collected during e-commerce checkouts and user account that contain names and e-mail addresses can be easily encrypted, and the encryption keys properly managed, by organizations that collect and store that sensitive information.

Drupal developers and Drupal users share a concern about multiple compliance requirements and the liability that goes along with being audited for correctly protecting personally identifiable information. When designing an environment, there is a need to know what methods of encryption you are using, that the encryption key management is implemented correctly, and how secure will the data collection and storage processes be. The Key Connection for Drupal module allows designers to either retrieve a key and encrypt locally, or send the data to Alliance Key Manager (AKM) to perform on board encryption. They have the choice to use the Alliance Key Manager strictly as a key manager, or they can use it as an encryption service as well.

A few benefits of this new Key Connection for Drupal module are:

• Access to remote key retrieval
• NIST compliant on-board encryption
• Encrypting data locally in your database
• Using a built-in function to allow for PCI compliant encryption to be done off the web server

To learn more, I encourage you to listen to this special podcast to hear Chris Teitzel; CEO of Cellar Door Media, Rick Hawkins; owner of Alchemy Web Solutions, and Patrick Townsend; CEO of Townsend Security, talk about encrypting sensitive data in Drupal. They will also discuss how a Drupal site builder or developer gets access to Key Connection for Drupal, the Alliance Key Manager, and what options are available.

The primary concern of cloud customers is the security of their sensitive data. Security remains one of the major barriers to cloud adoption. And that makes sense. Cloud platforms like Microsoft Windows Azure are by their nature shared environments. The computational resources are shared, the network resources are shared, and the responsibility for physical security is ceded to a third party. That would make anyone nervous.

There are also some additional practical issues. Where, for example, do you actually store your encryption keys that protect your data? For customers and software providers who are fully in the cloud, this is a difficult practical question. You just don’t have a convenient place to securely store encryption keys away from the data that they protect.

Until now.

Today we announced the availability of our latest encryption key management solution, Alliance Key Manager for Windows Azure. The same key management solution that we ship in our FIPS 140-2 compliant key management hardware security module (HSM) is now available as a virtual machine in Windows Azure. With a few clicks in the Windows Azure portal you can launch Alliance Key Manager for Windows Azure and start protecting encryption keys the right way.

All of the features that make a hardware HSM desirable - key management and encryption dedicated to you, exclusive administrative access to only you (sorry cloud provider), encryption and key management provably based on industry standards, and high availability now run as your dedicated virtual machine.

Alliance Key Manager for Windows Azure is deployed in just the way you would hope. An affordable, usage based pricing model, and managed through the same Windows Azure facility that you manage all of your other virtual machines. For added security, you can launch your virtual machine in a Windows Azure Virtual Private Cloud (VPC), and you can deploy two VMs in a Windows Azure Availability Set for better redundancy.

As is the case for our hardware key management solutions, our Windows Azure cloud offering supports encryption within the key management virtual machine. This means that you don’t even need to expose the encryption key in your Windows Azure web application. Just send the data to the key management virtual machine and encryption or decryption takes place there.

In conjunction with our launch into the Windows Azure platform, we’ve also added a great new feature we call “Ready-To-Use”. When you start your key management virtual machine for the first time it will automatically install a 30-day evaluation license, generate the certificates you need for authentication, and generate some encryption keys that are unique to you and ready to use with SQL Server, SharePoint, and your Windows .NET applications. You are ready to start encrypting in seconds.

There are many challenges to meeting compliance regulations, and you should be aware of the recommendations of the Cloud Security Alliance and of the PCI Security Standards Council for encryption and key management. You don’t need to compromise with poor key management, or a key management solution that has never seen the daylight of a FIPS 140-2 validation.

Happy cloud computing!

Patrick

Virtual encryption solutions are becoming more and more popular with organizations that are now running their applications and data centers on virtual machines and in the cloud. Although a traditional hardware security module (HSM) for key management may still be the most convenient encryption key management solution for some companies, a virtual encryption key management solution is ideal for companies who are moving to virtual machines and the cloud in order to reduce cost and complexity. Even in virtual and cloud environments, you must protect your sensitive data and manage your encryption keys in order to meet retail, healthcare, and financial regulations such as PCI-DSS, HIPAA/HITECH, and GLBA/FFIEC.

Of course, choosing a virtual key management and cloud-based encryption vendor can be difficult. Heck--encryption key management has a reputation for being difficult in itself. That’s why when choosing a virtual encryption key management solution, it’s important to look for these four differentiating factors:

1. Free 30 day trial any time of the year. Any company who offers a free thirty day trial for only a limited period of time may not be giving you a chance. Sure, installing a virtual encryption key manager is faster and easier than deploying an HSM in your data center, but the backend decision making and evaluation in your company may take at least several weeks, if not months. Look for a virtual solution that you can deploy fast, but without the pressure of a limited trial, and when you’re ready.

2. Client side applications and SDKs. Every company’s IT infrastructure is different. One of the most frustrating aspects of adopting an encryption key management solution can be roadblocks associated with needing specialized solutions or software development kits (SDKs). Today many organizations utilize both a cloud solution as well as physical hardware. Your encryption key management vendor should provide you with resources to make securing these systems easy. Better yet, they should be free.

3. Help you move to any cloud service. The cloud is always growing. With so many different cloud vendors available to you, you’ll want the power to decide which cloud you choose to move to. Your virtual encryption key management vendor should be able to support your move to the cloud whether you decide to move to VMware’s vCloud, Windows Azure, or Amazon Web Services (AWS).

4. World-class, enterprise level encryption key management for businesses of any size. Cost should not be a barrier to security. Choosing a virtual encryption key management solution can be difficult, especially when you’re faced with a tight budget. You should always ask your potential encryption key management vendor about their pricing model--do they price per key manager instance as well as additional costs per connection? Can they scale their solution to meet your company’s needs?

5. Personal attention & world-class service. Bigger isn’t always better. In the complicated world of encryption and encryption key management, you want a vendor who can move fast, pay attention to detail, and be there for you in times of need.

Townsend Security offers NIST FIPS 140-2 compliant virtual encryption key management with the added bonus of specializing in scalable solutions to meet the needs of any size of company. Free 30 day trials have been and will always be available for all of our solutions during any time of the year.

Alliance Key Manager for VMware, vSphere, and vCloud, and Alliance Key Manager for Windows Azure provide full life-cycle management of encryption keys to help organizations meet PCI DSS, HIPAA, and FFIEC compliance in virtual and cloud instances.  With built-in key replication, key retrieval, and administrative controls, Alliance Key Manager virtual machine is a secure, reliable, and affordable key management solution for a wide variety of business applications and databases.  Additionally, Alliance Key Manager supports on-appliance encryption and decryption services so that your encryption key is always kept separate from the data it protects. We provide free client side applications and SDKs to make deployment faster and easier than ever.

Every business is trying to save money and reduce complexity in their IT departments, and many are accomplishing this today by using virtual machines such as VMware and moving to the cloud. With these technologies they can consolidate resources and “rent” space in the cloud to run their applications. However, this can be a dangerous move for businesses with applications and servers that contain sensitive information that must be protected under industry regulations such as PCI-DSS, GLBA/FFIEC, and HIPAA/HITECH. That’s why encrypting this data in virtual environments and in the cloud is critical.

However, businesses need to remember that encryption is only half of the solution. They must securely manage their encryption keys as well. How can they accomplish strong key management in a VMware instance, you ask? With virtual encryption key management, of course. 

Virtual encryption key management is available to VMware users, and will make your decision to move to virtual environments easier than ever. If your concern over data security is preventing you from using a virtual environment, there are 7 reasons why choosing a virtual key manager can help you make that step.

1. Strong and defensible security in the virtual world - Encryption key management is required or strongly recommended by most industry regulations. This is because in today’s cyber environment, just using strong passwords and firewalls to deter hackers is not enough. Encrypting data at it’s source and using strong key management is the only way to prevent data loss and exposure. If a hacker or malicious users gain access to the encrypted data, and the keys are protected, then the data will be “scrambled” and useless to the intruder.

2. Less expensive - Virtual environments were designed to help businesses reduce costs and complexity by allowing them to run multiple operating systems on a single piece of hardware Instead of having to buy a hardware system for each operating system. The cost of virtual key management is also less expensive since it has no hardware components and is installed directly onto the virtual platform.

3. Less complex - Without the burden of hardware, virtual encryption key management is easier to deploy than the traditional hardware security module (HSM).

4. Helps you meet compliance - If meeting compliance regulations is a concern, encryption key management for VMware will get you in line with several compliance requirements such as PCI-DSS and GLBA/FFIEC. You should always use  NIST FIPS 140-2 compliant key management software to ensure your key management meets the highest standards.

5. Data protection where you need it - Every business’ IT environment is different. Even if you are moving to a virtualized environment for most of your applications, you may still want to run some databases and applications with very sensitive data on their own dedicated servers. If you choose to, you can manage your encryption keys for that data using the virtual key manager as well.

6. Virtual HA and failover - With virtual encryption key management you can choose to use virtual machines for your high availability (HA) and/or failover key managers as well. Of course you can always choose the option of using an HSM for these services as well.

7. Prepares you to move to the cloud -  The amazing thing about virtual environments is that once you have your data center running in them, moving them to the cloud is a piece of cake. In fact, VMware supports a direct move from VMware to vCloud. Many businesses with sensitive data opt for a private cloud option which offers a little more peace of mind; however, most cloud providers including public vCloud are acceptable if you are using encryption and strong key management to protect your data in the cloud!

Townsend Security’s Alliance Key Manager for VMware enables enterprises to lower operational costs, meet compliance requirements, deploy encryption key management in the cloud, and accelerate deployment of mission critical security technology through a virtualized encryption key manager. Alliance Key Manager for VMware supports VMware ESX, VMware vSphere (ESXi), and vCloud Townsend Security is a VMware Technology Alliance Partner (TAP).

With encryption and key management now being offered on a variety of hardware, virtualized, and cloud platforms, is it simply just a matter of preference or is one option better for you than another?  

Companies of all sizes now have options for securely protecting sensitive data using the appropriate security technology for their situation and industry regulations. Being responsible for the safekeeping of sensitive data like credit cards, social security numbers, or e-mail addresses, makes your encryption and key management strategy critically important. Once your sensitive data is encrypted, key managers are the specialized security devices that are designed to safeguard your encryption key (which is the secret that must be protected). Before deciding on how an enterprise should deploy an encryption key manager there are several questions to ask and factors to consider.

What different device options are available to organizations needing an encryption key manager?

Hardware Devices
Today we have many options for key management solutions, including the traditional key management hardware security module (HSM), which is now more cost effective and easy to deploy than it was even five years ago. HSMs are network attached in your data center and accessed when encryption keys are needed. If your company has a physical data center and the infrastructure to support it, an HSM can still be your most secure option.

Cloud-hosted HSM
The cloud-hosted key management HSM functions in much the same way as the traditional security device. However, you do not need to have the infrastructure of a physical data center in order deploy or maintain the cloud-based HSM since it is hosted by the cloud hosting provider.  Be aware of your cloud environment (is it shared or private?), and make sure to choose an option that provides real-time mirroring and redundant backups in geographically diverse locations.

Virtualization Options
Additionally it is now possible to deploy virtualized key management appliances. There is no hardware when you deploy a VMware or Hyper-v or Xen virtualized appliance inside your own virtualization infrastructure. A true cloud-based key management solution like VMware gives you a path to run key management solutions in vCloud either as standard cloud instance or virtual private clouds. Microsoft Azure and Amazon Web Service and other cloud platforms provide a mechanism for deploying virtualized key management appliances too.

What are some factors people need to consider when deciding which key management option is right for their organization?

Risk Tolerance
Risk tolerance is perhaps the main driving force for which of the key management options you might choose. If you're very risk-averse then probably you will want to deploy a hardware security module (HSM) in your own data center.  If you have a moderate level of risk tolerance  you might consider a cloud-based HSM hosted by a cloud vendor with appropriate security technology. A company dealing with small amounts of data might bear some additional risk and use a key management solution to help protect encryption keys in a virtual environment. Cloud or virtual solutions can be much more cost-effective and give enough protection for encryption keys to meet a lower risk tolerance level.

Compliance Regulations
Most compliance regulations give clear guidance on best practices about where encryption key management can and should run. Generally speaking, regulations are based on your industry and what type of sensitive data you store. 

PCI Security Standards Council has issued Cloud Computing Guidelines as well as guidance around virtualization of data protection solutions, so you can be PCI compliant with a cloud-based key management and encryption solution.

Cloud Security Alliance (CSA) has issued good guidance around key management and cloud environments - version 3.

Other regulations are not yet providing concrete guidance,and in some cases it is best to confirm with qualified auditors and assessors to really understand whether or not you can be in compliance and deploy true cloud-based virtualized key management solutions.

Infrastructure
Your key management options are also based on where your data is stored. If you don't have a traditional data center, for example if you are using a software as a service (SaaS) solution, you may not have your own IT infrastructure or personnel with which to deploy a traditional encryption key management HSM internally. So the physical and organizational structure will come to bear in terms of the choices that you have around deploying key management.

Cost
Budget is always an important factor. As you consider various options, ask about endpoint licensing fees and make sure you have predictable maintenance costs as more databases/applications request key access. Remember to consider the costs of not properly managing sensitive data when doing the security cost benefit analysis.

Whatever option you choose, it is always wise to use key management best practices:

• Always separate the encryption keys from the protected data
• Use dual control
• Practice separation of duties
• Manage key rotation
• Look for NIST validations like FIPS 140-2

Please download our most recent podcast on Encryption Key Management Options to hear more about how to meet the challenges of running cloud or virtual applications where implementations are inherently shared, multi-tenant environments!

Our Top Five Blogs of 2013

As we start off 2014, take a look back at five of our most popular blogs from the past year. Great topics, great content… and more to come!

MySQL and Encryption Key Management - 3 Ways Alliance Key Manager Encrypts MySQL Database and Protects Encryption Keys

Summary: With a strong encryption key management solution you can encrypt data in a number of ways in MySQL databases to meet compliance regulations for proper encryption key management. MySQL is the most popular open source relational database system and is in wide use in commercial and non-commercial environments. It is natural that developers and security professionals want to know how to encrypt sensitive information stored in MySQL databases.
Download:  eBook – Encryption Key Management Simplified

AES vs PGP: What is the Difference?

Summary: AES is a symmetric key encryption algorithm, which essentially means that the same key is used for the encryption and decryption of the data. PGP uses symmetric and asymmetric keys to encrypt data being transferred across networks. The encryption PGP offers is just as strong as that of AES, but it adds the additional security that prevents anyone with just the public key from being able to decrypt data that was previously encrypted with it.  AES is fast and works best in closed systems and large databases; PGP should be used when sharing information across an open network, but it can be slower and works better for individual files.
Download:  Webinar – 4 solutions for Data Privacy Compliance

Understanding Log Management on the IBM i

Summary: System logging is important across all operating systems… Because the IBM i system can handle multiple applications, it doesn’t log information like others do.  The IBM i collects logs simultaneously from multiple sources and deal with large volumes: Up to 3,500 events per second…250 Million of events per day!  The essence of good reporting is externalizing the systems logs and collecting them in a central repository which helps remove the risk of tampering. Compliance regulations recognize the need to watch all users – including the most powerful users, because network originated threats to the IBM i are often not noticed or quickly responded to by IT security professionals without close monitoring of system logs.
Download:  Webinar – Understanding System Logging on the IBM i

Why Partner With Townsend Security? What To Look for in a Strong Technology Partner

Summary: Businesses only want to partner with a technology company that has a good reputation. Mark Foege (Business Development Consultant and Principal at the Colvos Group) recounted, “...and that’s why they were excited to partner with Townsend Security. We realize that everything we do impacts the reputation of our partners. That’s why it’s important to us to provide solid, high value products, to make sure we are offering consistently first class support, and we work with our partners to make sure that their customers are completely delighted." Watch the YouTube Video with Townsend Security CEO Patrick Townsend and Mark Foege, they outline the importance of building strong technology partnerships for success, and what to look for in a partner.

What is Encryption Key Management?
Key Lifecycle & Rotation Explained

Summary: Encryption key management refers to the ability of a system to administer an encryption key through the length of its crypto-cycle. From the creation of a key, through it’s use, and eventually to its deletion, an encryption key management system needs to be able to securely and efficiently handle the encryption keys.
Download:  eBook  - Encryption Key Management Simplified

Do you have topics you want to learn more about?  Let us know by leaving a comment here, we will get back to you with an answer... and probably blog about it too!