+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Don’t Let Your Application or Database Limit Your Encryption Strategy

Posted by Luke Probasco on Sep 23, 2019 8:37:27 AM

Historically, encryption and key management have been deployed at the application or database level. There are even several databases who’s “Enterprise” edition (like Microsoft SQL Server or MongoDB, for example) include options for encryption and external key management built right in the database. Unfortunately, these types of databases are the exception, rather than the rule. If you were to examine an organization's IT infrastructure, you are more likely to find a wide variety of databases and applications, some natively supporting encryption, some not, and many containing unprotected private information or personally identifiable information (PII). Simply put, their encryption strategy has been limited due to cost and resources required to properly protect private information. 

Podcast: Don't Let Your Application or Database Limit Your Encryption StrategyFortunately, these same enterprises have deployed VMware infrastructure, and starting with vSphere 6.5 and vSAN 6.6, are able to encrypt sensitive workloads in VMware using the advanced cryptographic features in vCenter. To put it a little more simply, businesses can protect their sensitive information in their internal applications and databases that don’t natively support transparent encryption with tools offered by VMware.

I recently sat down with security expert and CEO, Patrick Townsend, to talk about how enterprises can leverage VMware’s vSphere and vSAN to encrypt private data - regardless of whether their applications or databases support encryption. 

Hi Patrick. Let’s jump right in. With the introduction of vSphere encryption in 6.5 and vSAN 6.6, it has become much easier for businesses to encrypt private data. In the past they have relied on encryption at the application level or used the encryption that comes with their database. With so many enterprises deploying VMware, they no longer need to let their application or database limit their encryption strategy.

That’s absolutely correct. There are databases like Microsoft SQL Server and MongoDB EA, for example, that have encryption built right in - which makes it easy. But there are other times when encryption can be much more difficult. SQL Server Standard edition and the Community edition of MySQL, for example, do NOT support encryption. So, you have these widely used databases, with lots of unprotected data because that can be a challenge to encrypt. Using vSphere and vSAN encryption is a great way to address these gaps in an organization's encryption strategy with industry standards-based encryption. 

Sometimes the barrier to encryption is the cost of upgrading databases to “Enterprise” editions. Almost all of us are running VMware in our infrastructure anyway, so in many cases we already have the tools we need - the encryption support is there, we just need to use it. VMware even provides excellent guidance for encrypting databases, like Oracle and SQL Server, for example.

So, one of the most obvious questions. How is performance?

This is always a concern that people bring up. I can say that VMware has done a great job with performance in both encrypted VMs and vSAN - and performance continues to improve. These days, you can even deploy a large database on vSAN. This is a technology that has matured and gained the trust of customers, and they are adopting it at a rapid rate. There is also some really good material from VMware about performance expectations - white papers, solutions briefs, etc. Furthermore, both vSphere and vSAN take advantage of the Intel AES-NI on-chip accelerator for encryption, which provides a great performance boost.

Of course the key manager is the critical component that ensures the encrypted data stays encrypted. Without proper key management, it is like leaving the keys to your house under the welcome mat. What should our readers be looking for in a key manager?

Here is something that I think VMware did right. You must use a key manager in order to activate vSphere encryption of VMs or vSAN encryption. Within vSphere you are able to create a KMS cluster, define failover key managers, multiple KMS clusters, etc. They did a great job. Furthermore, VMware based their interface on the Key Management Interoperability Protocol (KMIP) industry standard. Other databases vendors, for example, allow local storage of encryption keys. That is really such a BAD security practice, so I am glad that VMware saw implications of that. If you are going to use VMware encryption, you are going to use proper encryption key management and that will be much better from a security perspective. I also think that this reflects on VMware as a company and their concern for their enterprise customers.

What to look for in a key manager? All enterprise level key managers are validated to FIPS 140-2 by the National Institute of Standards and Technology (NIST). Be absolutely sure you key management vendor has completed this validation. Secondly, your key manager should support the KMIP protocol. Finally, if you are taking credit cards for payments, look for a PCI validation. We validated our Alliance Key Manager with both Coalfire and VMware, as a joint project. This helps our customers easily get through an audit, which can be quite difficult.

While I have you, I was hoping you could also offer some clarification on the term KMS. For example, VMware defines KMS as a Key Management Server. Amazon defines their KMS as a “Key Management Service.” How should our readers be thinking about a KMS in regards to VMware encryption?

Ah, the chaos of three letter acronyms. KMS, in general terms, means Key Management Server. It is a broad term covering key management devices that manage the entire lifecycle of a key - from creation to destruction. You are right, Amazon does call their key management service KMS, which can lead to some confusion. This service is NOT to be confused with a key management server - and does not give you full control over the entire key lifecycle. It is a shared administrative environment where you share access to the keys with Amazon.

You need to approach cloud service provider (CSP) implementations of key management services with trepidation. It is important for YOU to hold exclusive access to your keys and that only you have the only administrative control. Cloud lockin can be another concern as well.

To hear this conversation in its entirety, download our podcast Don’t Let Your Application or Database Limit Your Encryption Strategy and hear Patrick Townsend further discuss Encrypting applications and databases that don't natively support encryption, encryption performance, and other fundamental features of an enterprise grade key manager.

[Podcast] Don't Let Your Application or Database Limit Your Encryption Strategy

Topics: Encryption Key Management, VMware, vSphere, vSAN

VMware vSAN Encryption for Compliance

Posted by Patrick Townsend on Aug 30, 2019 9:06:56 AM

Many VMware customers know that they can encrypt their virtual machines that are managed with vSphere and other VMware tools. VMware vSAN encryption can also provide important protections for data-at-rest in vSAN virtual disks. I wanted to share some thoughts I’ve received from our VMware customers and partners on some of the benefits of using vSAN storage with encryption enabled.

A Simple Way to Encrypt

Podcast: Protecting Data with vSphere & vSAN EncryptionWhen you have a large database, it can be inefficient to store the data in a directory or folder directly in your virtual machine. vSAN can be much easier to manage from an administrative and recovery point of view and your VMware applications can easily connect to the vSAN volume. vSAN is configured using the VMware tools you already know how to use and managing vSAN storage is easy.

Did you know that you can enable vSAN encryption to protect that database with sensitive data? You can enable vSAN encryption on existing virtual disks or on new virtual disks that you create. The process is simple and does not require any downtime for your application - and vSAN encryption enables the use of a KMIP compatible key manager like our Alliance Key Manager so that you stay lined up with industry standards and security best practices. It is an easy way to improve your overall security posture.

A Simple Way to Meet Compliance

Many of our VMware customers are struggling to implement encryption on their databases to meet compliance regulations and to protect the organization’s digital assets. Although encryption and key management have become much easier over the years, it can still seem like a daunting task. VMware vSAN encryption to the rescue! It is easy to implement with the tools you already have, and you can deploy an affordable key management solution such as our Alliance Key Manager to fully meet compliance requirements and security best practices. You configure key management directly through the KMS Cluster facility in vSphere, and then activate vSAN encryption. Alliance Key Manager does not impose any limits on the number of virtual disks you protect, nor on the number of nodes that connect to the key manager.

A Simple Way to Save Money

Some databases, such as Oracle and Microsoft SQL Server, require expensive license upgrades to enable encryption capabilities. This cost can be out of reach for many small to medium size organizations. Using vSAN encryption is an affordable way to achieve a better security posture using the tools and the IT professionals you already have.

You might be wondering if VMware supports the deployment of these databases on vSAN volumes. The answer is absolutely YES! You will find substantial documentation from VMware on doing exactly this. The documentation includes reference architectures and analysis of performance impacts. You can confidently move forward with vSAN encryption knowing that VMware has invested time and effort to make sure you are successful.

Lastly, we know that some VMware users have deployed the free version of vSphere. There are some costs associated with upgrading to the paid tier of vSphere in order to get the ability to encrypt VMs and vSAN. If this is where you are today, talk to us about how we can help with the uplift to the next level of vSphere capability.

Resources:
vSAN Documentation
Oracle Database on VMware vSAN Solution Overview
Architecting Microsoft SQL Server on VMware vSphere
Pointers to our AKM for vSphere/vSAN Solution Brief 

New call-to-action

Topics: Compliance, VMware, Enryption, vSAN

VMWare and Encryption Key Management Failover

Posted by Patrick Townsend on Jun 26, 2019 12:38:09 PM

Encryption and Key Management for VMware - Definitive GuideOne of the easiest ways to implement encryption controls in your VMware infrastructure is to activate vSphere and vSAN encryption. With vSphere encryption you can insure that all VM images are encrypted at rest, and with vSAN encryption you can set up virtual disks that are fully encrypted protecting any files that you place there. vSphere encryption was implemented in version 6.5, and vSAN encryption was implemented in version 6.6. All subsequent versions of vSphere and vSAN include these capabilities. (Note that you must be on the Enterprise or Platinum edition).

In both vSphere and vSAN the key manager is integrated using the open standard Key Management Interoperability Protocol, or KMIP. This means that any key management solution that supports the necessary KMIP interface can work as a vSphere or vSAN key manager. Our Alliance Key Manager solution implements this support, and is already in use by our VMware customers. 

The most common question we get about these new encryption features is: How do I manage failover for the key managers?

This is a great question as VMware is a part of your critical infrastructure, and key management has to work with your high availability strategy. There are two parts to this question and lets dig into both of them:

Defining Key Managers to vSphere KMS Cluster

Key managers are defined to vSphere using the option to configure the KMS Cluster. A KMS Cluster configuration allows you to define more than one key manager. So you have a readily available path for failover. The first key manager configuration is the primary key manager, and all subsequent key managers in the KMS Cluster are failover key managers. vSphere will always use the first key manager you define and treat it as the primary. 

In the event vSphere cannot connect to the primary key manager, it will try to connect to the second key manager in the KMS Cluster configuration. If that one fails it will try the third one, and so forth. The failover order is the order in which you define key managers in the KMS Cluster, so you should keep that in mind as you define the key managers.

While vSphere allows you to create multiple KMS Cluster definitions, very few VMware customers need multiple definitions. Just put your key manager definitions in a single KMS Cluster and you are set to go. 

If you have failover clusters for VMware, be sure to define the KMS Cluster for the failover environment, too!

Implementing Key Mirroring in Alliance Key Manager

Now that you have failover key managers defined to the KMS Cluster, you need to activate key mirroring between the primary key manager and each failover key manager. This is really easy to do, and you don’t need any third party products to implement key mirroring with Alliance Key Manager. Real time, active-active key mirroring is built right into the solution. You can SSH into the key manager, provide credentials, and then take the menu option to set up the primary or secondary key server. Answer a few questions and you will have key mirroring enabled between two or more Alliance Key Manager servers.

Our Alliance Key Manager solution implements full support for vSphere and vSAN encryption key management and has everything you need to get started. Adding encryption to your VMware environment is easy. VMware did a great job with this implementation of key management support and you can easily realize the benefits of protecting VMware infrastructure.

Alliance Key Manager documentation for vSphere can be found here.

You can download Alliance Key Manager and get started right away. Here is where to go to start the process.

Townsend Security will help you get started with vSphere and vSAN encryption. There is no charge for the evaluation or evaluation licenses and you will get access to the Townsend Security support team to ensure you have a successful project.

Patrick

New call-to-action

Topics: Alliance Key Manager, VMware

Townsend Security and Alliance Key Manager Achieves VMware Ready™ Status

Posted by Luke Probasco on Jan 22, 2019 12:01:00 AM

Townsend Security, today announced that its Alliance Key Manager for VMware has achieved VMware Ready status. This designation indicates that after a detailed validation process Alliance Key Manager for VMware has achieved VMware’s highest level of endorsement and is supported on VMware ESXi  (all supported versions, vSphere 6.5 and later, and vSAN 6.6 and later) for production environments.

Encryption and Key Management for VMware - Definitive Guide“We are pleased that Townsend Security and Alliance Key Manager for VMware qualifies for the VMware Ready logo, signifying to customers that it has met specific VMware interoperability standards and works effectively with VMware cloud infrastructure. This signifies to customers that Alliance Key Manager for VMware can be deployed in production environments with confidence and can speed time to value within customer environments,” said Kristen Edwards, director, Technology Alliance Partner Program, VMware.

By using Alliance Key Manager for VMware with VMware ESXi (all supported versions, vSphere 6.5 and later, and vSAN 6.6 and later) organizations can centrally manage their encryption keys with an affordable FIPS 140-2 compliant encryption key manager. Further, they can use native vSphere and vSAN encryption to protect VMware images and digital assets at no additional cost. VMware customers can deploy multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability.

“By achieving VMware Ready status with Alliance Key Manager for VMware, Townsend Security has been able to work with VMware to bring affordable encryption key management to VMware customers and the many databases and applications they run in VMware,” said Patrick Townsend, CEO of Townsend Security. “Meeting data security compliance in VMware vSphere is now easier than ever.”

The VMware Ready program is a co-branding benefit of the Technology Alliance Partner (TAP) program that makes it easy for customers to identify partner products certified to work with VMware cloud infrastructure. Customers can use these products and solutions to lower project risks and realize cost savings over custom built solutions. With thousands of members worldwide, the VMware TAP program includes best-of-breed technology partners with the shared commitment to bring the best expertise and business solution for each unique customer need.

Townsend Security and Alliance Key Manager for VMware can be found within the online VMware Solution Exchange (VSX) at https://tsec.io/VMwareReadyPR. The VMware Solution Exchange is an online marketplace where VMware partners and developers can publish rich marketing content and downloadable software for our customers.

VMware, VSXi, vSphere, vSAN and VMware Ready are registered trademarks or trademarks of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

New call-to-action

Topics: Encryption Key Management, VMware, Press Release, vSphere, vSAN

Protecting Data with vSphere & vSAN Encryption

Posted by Luke Probasco on Sep 28, 2018 2:35:36 PM

VMware allows customers to use native vSphere and vSAN encryption to protect VMware images and digital assets.  But as we know, to truly protect private data, encryption keys must also be properly stored and managed. I recently sat down with Patrick Townsend, Founder and CEO of Townsend Security, to talk about vSphere and vSAN encryption, deploying multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability, as well as meeting compliance regulations and security best practices for your organization.  Additionally, we talked about Alliance Key Manager for VMware and how it is helping businesses protect their sensitive data.

Podcast: Protecting Data with vSphere & vSAN EncryptionVMware virtualization has been a game-changing technology for IT, providing efficiencies and capabilities that have previously been impossible for organizations constrained within a traditional IT data center world.

It is really great to see VMware, as a company, stepping up to embrace encryption for vSphere and vSAN.  Introduced in vSphere 6.5 and vSAN version 6.6, encryption allows users to protect data at rest. Additionally, there is a really great key management interface, which provides an excellent path to store and manage keys.  While these versions have been out for a while, many customers are just now getting around to upgrading and can take advantage of VMware's native encryption. With VMware, organizations are able to reduce hardware costs, lower operational cost, and provides a clear a path to move to the cloud. With the addition of encryption, you can deploy secure environments where there is less risk of data loss in the event of a breach.

Let’s dive in a little more and talk about vSphere and vSAN encryption.  Can you walk me through how an organization might deploy encryption and key management?

Sure. I think in a typical VMware environment, organizations are already doing some encryption in their applications.  For example, they may be running Microsoft SQL Server in a VM and using Transparent Data Encryption (TDE) to protect the data.  With the new facilities, you now get the ability to encrypt right in the VMware infrastructure itself. There is one thing that I think VMware did really well, and they have proven this over and over again, is that they have laid out a certification process for key management vendors, which gives VMware customers confidence that they are purchasing and deploying a solution that has been vetted by VMware themselves.  Our Alliance Key Manager, for example, has been certified for vSphere and vSAN encryption.

In terms of deploying key management, it is easy. We recommend using both a production key server and a failover key server. vSphere supports KMS cluster configurations which allow you to have a resilient encryption and key management architecture.  Aside from just being a security best practice, we are seeing our customers deploy two servers because they never want to lose access to their encrypted data. The servers synchronize in real-time and have automatic failover capabilities.

You can’t talk about key management without talking about compliance.  Whether it is PCI DSS, GDPR, or state and federal privacy laws, who doesn’t fall under compliance these days?

Yes, good question.  That is probably a very short list these days.  When you look at all the existing compliance regulations around the world, including the new GDPR, you realize that everyone falls under some compliance regulation, and most of us fall under multiple regulations.  Enterprises, big and small, public and private, fall under the same compliance regulations. Additionally, I have heard more from privately held companies that they think they are exempt - which is not true.

So you are correct.  Compliance regulations are driving a lot of uptake in encryption and I would say that lately GDPR is driving the most interest.  If you look at Article 32 and related recitals, the requirement to protect a data subjects information, there is a clear call for encryption. GDPR has put a new focus on the need to protect private data, as well as to take a broad view at what should be considered sensitive data.  It is not just a credit card number or social security number. Information like a phone number or email address can be considered sensitive data.

How is your Alliance Key Manager helping VMware users protect their private data?

Well, we have been helping VMware customers for a number of years  who are encrypting at the application level. Our Alliance Key Manager for VMware runs as a virtual software appliance and is binarily the same as our hardware security module (HSM). What is new, is that VMware opened the vSphere and vSAN and products to support encryption key management. Now VMware users can leverage the same key management solution for both application and VMware infrastructure encryption.

People often ask us, “How is your key manager different than your competitors”?  One thing that makes us stand out is that we are very diligent about meeting compliance requirements (PCI DSS, GDPR, HIPAA, etc.) and industry standards (FIPS 140-2, KMIP, etc.). Years ago, when we partnered with VMware, one of the first things we did was work with VMware and a QSA auditor to achieve a PCI compliance statement.  Customers can now be assured that when they deploy our Alliance Key Manager in VMware that they are meeting PCI compliance.

What else do VMware customers need to know about Alliance Key Manager for VMware?

Alliance Key Manager is a mature product that has been on the market for more than 10 years. It uses the same software that runs inside our Hardware Security Module (HSM), so customers can be confident that they are running exactly the same key management software that is FIPS 140-2 compliant and in use by over 3,000 customers worldwide.  Additionally, the security posture that the key manager allows, as well as the reference architecture that VMware provides, really gives VMware customers a road map to doing a secure installation.

The other thing that I think a lot of people might not realize is, that when they deploy Alliance Key Manager, they have our entire library of client side applications, SDKs, and sample code available to them.  For example, we have a Microsoft SQL Server TDE encryption component, support for MongoDB via KMIP, and sample SDKs for languages like Java, PHP, Python, etc. All of that comes along with the key manager and makes it easy to address security requirements.

Finally, I’d like to mention our partnership with VMware.  We are diligent about maintaining our certifications with Alliance Key Manager.  Doing this brings a level of confidence to the product for our customers. Prior to starting an encryption project they may be a little leery of key management because they have heard that it may be complicated.  That was true in the past. In fact, today it is actually extremely simple to deploy. Another barrier that we have knocked down is the scalability issue. Our solution works across multiple platforms - AWS, Azure, VMware or as an HSM.  They all talk to each other, and if one goes down, another will automatically fail over. That gives VMware customers the ability to be extremely flexible about how they deploy key management. It is not uncommon that our customers will deploy an application in the cloud, deploy a key manager in AWS, and then mirror those keys back to their on-premise VMware infrastructure. All of this is really straightforward and simple to deploy.

To hear this conversation in its entirety, download our podcast Protecting Data with vSphere & vSAN Encryption and hear Patrick Townsend further discuss protecting data in vSphere and vSAN with encryption and key management.

Evaluation: Alliance Key Manager for VMware

Topics: Encryption, VMware, vSphere, vSAN

Townsend Security Extends Alliance Key Manager to Support vSphere Encryption of VM Images and vSAN

Posted by Luke Probasco on Sep 14, 2018 8:06:28 AM

VMware users can now protect VM Images and vSAN with with Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager.

New Call-to-actionTownsend Security is excited to announce that its new version of Alliance Key Manager fully supports VMware vSphere encryption for both VMware virtual machines (VMs) and for VMware Virtual Disk (vDisk). VMware users have been using Alliance Key Manager to protect data in application databases and applications to meet PCI DSS, GDPR, HIPAA compliance as well as other data privacy regulations. Now VMware users can use the same Alliance Key Manager solution with vSphere to protect virtual machines and virtual disks. Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.  

“Our customers have been using Alliance Key Manager to protect data in Microsoft SQL Server, MongoDB and other environments for many years. Now VMware users can have confidence that Alliance Key Manager can also protect VMware virtual machines and virtual disk to achieve the highest level of data-at-rest protection,” said Patrick Townsend, CEO of Townsend Security. “VMware users are looking for certified solutions that support their complex Windows and Linux environments without the need to deploy additional hardware-based HSMs. We are happy to announce this extension of our key management solution to help VMware vSphere users achieve a high level of data protection.”

VMware users are looking for affordable solutions that provably meet compliance regulations and which fit their budget and deployment goals. Alliance Key Manager meets this goal by providing NIST FIPS 140-2 compliance, PCI-DSS certification, and Key Management Interoperability Protocol (KMIP) compliance out of the box. Existing Alliance Key Manager customers can upgrade at no cost to extend their data protection compliance requirements to vSphere. New customers can deploy Alliance Key Manager without the fear of increased, unplanned licensing costs in the future.

In addition to PCI DSS, compliance regulations such as the European Union General Data Protection Regulation (GDPR), the HIPAA data security regulation, and many other data protection regulations, require the encryption of data at rest. Alliance Key Manager combined with vSphere encryption are the protection methods  to help you meet these regulatory requirements. “Don’t be fooled by vague language in the GDPR regulation. You must act to protect sensitive information of individuals in order to meet this regulatory requirement. You should act now to protect your organization,” said Townsend.

Alliance Key Manager for VMware is available for a free 30-day evaluation.

VMware Encryption eBook

Topics: Alliance Key Manager, VMware, Press Release

IBM SoftLayer, VMware and Getting to the Secure Cloud

Posted by Patrick Townsend on Aug 1, 2016 8:27:33 AM

VMware customers have experienced some frustration around cloud migrations for quite some time. While VMware has attempted to provide a path to the cloud through their vCloud strategy, substantial barriers have made the migration difficult to achieve. While VMware customers have achieved substantial cost and efficiency savings through VMware technologies, they have largely not been able to extend these benefit through cloud migrations. The new IBM and VMware partnership is changing this.

Encrypting Data in IBM SoftLayerThere are two aspects of the partnership that make this very different than other cloud offerings for VMware:

  • IBM will create dedicated cloud resources for VMware customers who migrate, essentially creating a private cloud platform. This will alleviate many of the concerns of Enterprise customers about the security of their cloud migration.
  • IBM has negotiated great pricing for VMware applications on the IBM SoftLayer cloud. This will let VMware customers experience an immediate ROI on the cloud migration.

VMware customers have invested a great deal in the architecture and administration of their VMware environments. VMware applications let customers create secure segmented networks, apply security and access controls, monitor the status of their applications, automate business recovery operations, and perform an number of other administrative functions in a coherent and cost-effective manner. Finding a way to the cloud that leverages benefits is crucial for the VMware customer.

I think IBM has found the right path for these customers.

IBM is not the first to attempt to address the needs of the VMware customer. Rackspace and others have cloud migration plans and have been working with VMware customers. But I think IBM SoftLayer has solved some problems that will open the path to VMware in the cloud.

One of the remaining challenges for VMware customers is to get their third-party application and security vendors to embrace this move to the cloud. While the IBM VMware offering is a true native VMware implementation that will reduce the technical issues, software vendors need to be explicit about their support for solutions deployed on a cloud platform. VMware customers can find it confusing and frustrating to get clear statements of support from vendors.

At Townsend Security we are trying to support our customers migrating our products in VMware to the IBM SoftLayer cloud. Our Alliance Key Manager and related encryption products are already validated for deployment in VMware. And we’ve extended our support for the VMware platform by validating our encryption and key management to the PCI Data Security Standard. We now also support the migration or deployment of our solutions in the IBM SoftLayer cloud. This gives IBM SoftLayer customers the confidence of moving their encryption security infrastructure to the IBM SoftLayer platform.

It has been amazing how the PCI-DSS validation of our solutions in VMware have helped VMware customers meet PCI requirements. VMware deserves a lot of credit for creating a formal program for PCI validation on a well-defined VMware reference architecture. Working with Coalfire, a security auditing firm, we were able to very quickly certify our encryption and key management solutions to the PCI-DSS standard. This has helped multiple customers quickly move through the compliance challenge and this applies to the IBM SoftLayer platform, too. Because IBM SoftLayer retains the dedicated resources for the customer, compliance will be easy to achieve.

IBM and VMware have created a great path to the cloud for VMware customers. I know that many challenges will remain for customers with more complex VMware architectures, especially with hybrid environments. But I think the path to the cloud just got a bit straighter and easier.

Patrick

Encrypting

Topics: VMware, Cloud Security

PCI DSS Requirements 3

Posted by Luke Probasco on Jul 22, 2015 12:52:00 PM

NIck Trenc - CoalfireThis is a guest blog by Nick Trenc, CISSP, QSA, PA-QSA, VCP.  Nick is an IT Security Architect at Coalfire Labs.


For those protecting the front lines of our credit card data in merchant environments, few other things keep those in charge (as well as IT administrators) awake at night than the threat of a breach. Questions often arise along the lines of: Will my company be able to survive? What can I do to protect myself? How do I prevent my company from being next? And how do I limit any losses should it happen to us?

VMware Encryption Key Management PCIOne of the key components to the protection of cardholder data at any merchant location is the use of strong cryptography along with just-as-strong cryptographic key management procedures. PCI DSS Requirement 3 outlines what the PCI council believes to be the baseline for strong cryptographic key management procedures and is a key element of any PCI DSS audit.

Successful key management with a strong cryptographic algorithm is the best place to start with getting encryption of your cardholder data correctly protected while it is contained within your environment. But key management can be confusing, difficult and downright impossible depending on the size of your environment. Figuring out if your keys are strong enough, or if they are rotated often enough or if they are protected from would-be hackers. On top of that, figure in the ever-increasing complexity of today’s business systems to include cloud, virtual computing, data mining, and others, the ability to quickly and easy manage encryption keys across several platforms and environments becomes key for PCI DSS compliance.

This is where a tool like Townsend Security's Alliance Key Manager (AKM) comes in to play. Available as a physical hardware security module (HSM), a cloud HSM, a virtual appliance (VMware) or in the cloud (AWS, Azure), Alliance Key Manager can help merchants meet PCI DSS requirements for encryption key management by creating, managing, and distributing AES 128-bit, 192-bit or 256-bit encryption keys all without the risks involved with clear-text key administration.

As a QSA, it is certainly encouraging to see a complete encryption solution that removes some of the worries of traditional manual clear-text key management procedures. AKM can relieve pressure to meet portions of PCI DSS Requirement 3 such as the need to render Personal Account Numbers (PAN) unreadable using strong cryptography with associated key-management processes and procedures (PCI DSS 3.4). It directly meets PCI DSS Requirement 3.5.2 to store keys within a secure cryptographic devices such as a HSM along with additional encryption requirements such as 3.6.2 – Secure Key Distribution, and 3.6.3 – Secure Key Storage. In addition, AKM can make PCI DSS Requirements 3.6.6 for Split Knowledge and Dual Control not applicable as there are no manual key-management operations involved. This (virtual) device is a useful cost-effective tool to help meet your PCI DSS compliance.

For more information on using AKM to meet PCI DSS compliance specifically within a virtual environment (but also applicable to most environments), please see the VMware Product Applicability Guide for PCI DSS 3.0 published by Coalfire Systems with collaboration with Townsend Security and VMware.

VMware Encryption Key Management PCI DSS

Topics: Alliance Key Manager, VMware

Overcome Security Challenges with Your VMware Environment

Posted by Michelle Larson on Apr 15, 2015 10:29:00 AM

Prioritize Your Data Security Plan and Encryption Strategy

New Call-to-actionMany businesses migrating to VMware environments are storing or processing credit card numbers, financial information, health care data, and other personally identifiable information (PII) in a virtual, shared environment. How does an organization meet industry data security requirements and prevent unwanted access to sensitive data?

In order to achieve a comprehensive data security plan in a VMware environment, organizations should consider the following steps:

Take Inventory of Your Sensitive Data

Every data security project should start by making an inventory of sensitive data in your IT environment. If you do not know where to start, first consider the compliance regulations you fall under. For example, do you process credit cards? If so, you must locate and encrypt primary account numbers (PAN), expiration date, cardholder name, and service codes where they are processed, transmitted, or stored in order to meet PCI compliance. If your company is a financial institution, include Non-Public Information (NPI) about consumers, and if you are in the medical segment, you must also locate all Protected Health Information (PHI) for patients. Finally, locate all data that is considered Personally Identifiable Information (PII) which is any information that can uniquely identify an individual (social security number, phone number, email address, etc.). Business plans, computer source code, and other digital assets should make the list, too.

Once you have a list of the kinds of information that you should protect, find and document the places this information is stored. This will include databases in your virtual machines, unstructured data in content management systems, log files, and everywhere else sensitive data comes to rest or can be found in the clear.

After you have a full inventory of your sensitive data, prioritize your plan of attack to secure that information with encryption and protect your encryption keys with a key management solution. The most sensitive information, such as credit card numbers, medical or financial data, is more valuable to cyber criminals and should be encrypted first. Creating this map of where your sensitive data resides and prioritizing which data to encrypt is not only a requirement for many compliance regulations, but will help to focus your resources as well.  

What to do:

  • Define sensitive data for your organization.
  • Using manual and automated procedures, make an inventory of all of the places you process and store sensitive data.
  • Create a prioritized plan on how you will encrypt the sensitive information affected by compliance regulations.

Implement Encryption and Encryption Key Management

While encryption is critical to protecting data, it is only half of the equation. Your key management solution will determine how effective your data security strategy ultimately is. When encrypting information in your applications and databases, it is crucial to protect encryption keys from loss. Storing encryption keys with the data they protect, or using non-standard methods of key storage, will not protect you in the event of a data breach.

For businesses who are already encrypting data, the most common cause of an audit failure is improper storage and protection of the encryption keys. Doing encryption key management right is often the hardest part of securing data. For this reason, it is paramount to choose a key management solution that is compliant and tested against the highest standards:

  • Your VMware key management solution should be based on FIPS 140-2 compliant key management software (find out if your key management vendor offers FIPS 140-2 compliant key management on the NIST website look it up on the NIST web site.
  • A key management solution should also conform to the industry standard Key Management Interoperability Protocol (KMIP) as published by OASIS. Ask for the KMIP Interoperability Report from the KMIP testing process.

Encrypting sensitive data on your virtual machine protects your data at the source, and is the only way to definitively prevent unwanted access to sensitive data. With VMware environments, businesses that need to protect sensitive data can use encryption and encryption key management to secure data, comply with industry security standards, protect against data loss, and help prevent data breaches.

What to look for:

  • Use industry standard encryption algorithms such as AES to protect your sensitive data. Avoid non-standard encryption methods.
  • Your encryption solution should support installation in any application workgroup that you define for your trusted applications. Be sure your encryption vendor explains any limitations in the VMware deployment.
  • Your encryption key management solution should support deployment in a separate VMware security workgroup. Ideally, the key management solution will include internal firewall support to complement the VMware virtual firewall implementation.
  • Your key management solution is a critical part of your VMware security implementation. It should support active collection and monitoring of audit logs and operating system logs. These logs should integrate with your log collection and SIEM active monitoring systems.

As your IT environment evolves, make sure your key management evolves with you. In addition to support for VMware, be sure your key management solution is available as a hardware security module (HSM), as a Cloud HSM subscription, and as a native cloud application on major cloud service provider platforms such as Amazon Web Services and Microsoft Azure. Even if you do not have these non-VMware platforms today, it is important to consider that the evolution of your IT infrastructure is inevitable. The encryption and key management solutions you deploy today in your VMware data center should be prepared to move to cloud or hosted platforms quickly and seamlessly. A merger, acquisition, rapid growth, competitive challenges, and technology advances can force the need to migrate your solutions to new platforms.

For more detailed information, check out our eBook on VMware Encryption – 9 Critical Components of a Defensible Encryption Strategy:

VMware Encryption eBook

Topics: Alliance Key Manager, Data Security, eBook, Encryption Key Management, VMware

Understanding Encryption and Key Management for VMware

Posted by Michelle Larson on Apr 3, 2015 11:33:00 AM

How to implement solutions that are based on compliance standards and meet security best practices.

As more and more Enterprise businesses move into virtual and cloud environments, they face challenges and security issues in these multi-tenancy situations. VMware customers benefit from the many operational and cost efficiencies provided by VMware virtualization technologies both in traditional IT infrastructure and in cloud environments. VMware Resource Kit for Encryption and Key ManagementAs VMware customers deploy data encryption solutions as a part of their defense-in-depth strategy, the need for compliant encryption key management can present barriers to a good encryption implementation. It is possible to deploy a proper encryption key management solution within the VMware infrastructure without the need for traditional hardware security modules (HSMs) when this approach is appropriate to the security needs of the organization.

Here is some high level guidance on how to deploy and protect a solid encryption and key management solution for VMware within your virtual or cloud environment. While these recommendations are general in nature (actual VMware deployments will use different VMware applications and architectures to meet specific user, application, and security needs) they can provide a good roadmap.

Seven General VMware Recommendations

1. Identify and Document Trusted and Un-Trusted Applications

Properly identifying application groups based on the level of trust is critical for a secure implementation of virtualized applications and encryption key management services. Create and isolate a management cluster for your core VMware applications such as vSphere, vShield, etc. Identify application groups and their associated level of trust, and isolate applications into appropriate workgroups. Avoid mixing trusted and untrusted applications in a workgroup.

You should consider creating a security workgroup to contain your third party security applications such as encryption key management, authentication services, active directory, system logging, and other applications whose primary function is to assist in securing your applications in your VMware environment.

In preparation for properly securing these environments, create an inventory of all Virtual Machines managed in each workgroup. For each workgroup and virtual machine, identify the security controls that will be required for each one (network segmentation, storage segmentation, system logging, active monitoring, etc.). VMware flow tools can assist with this documentation.

2. Restrict Physical Access

Fundamental to all IT security implementations is proper security of the physical environment. This means proper physical security controls and physical monitoring of the data center as well as good auditing and procedural controls. These physical controls should also apply to access of VMware management and security applications. You can look to the PCI Data Security Standards and guidance for information on appropriate physical controls. You can also refer to standard security guidance in SOC 2 and SOC 3 assessments for information on physical controls. When deploying on a cloud platform it is always a good idea to ask the Cloud Security Provider (CSP) for a copy of the PCI letter of attestation, or an SOC 2 / SOC 3 report.

3. Isolate Security Functions

Because security applications are often a target of cyber-criminals, you should isolate them into their own security workgroup and implement the highest level of VMware security. Only trusted VMware administrators should have access rights to the encryption key management solution, system logs, and audit reports. Be sure to actively monitor access to and use of all encryption key management, key retrieval, and encryption services.

4. Change VMware Default Passwords

Review all VMware applications used to secure and manage your VMware environment and change the default passwords as recommended by VMware. The failure to change default passwords is one of the most common causes of security breaches.

5. Implement Network Segmentation

Network segmentation is easy to accomplish with VMware network management and security applications and you should implement network segmentation to isolate applications that process sensitive information from applications that do not require as high a level of trust. Additionally, you should provide network segmentation for all third party security applications such as your encryption and key management solution. Network segmentation should include all high availability and business recovery infrastructure. Do not rely on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.

6. Implement Defense in Depth

The VMware management and security applications provide for a high level of security and monitoring. They also provide hooks and integration with third party security applications that provide system log collection, active monitoring, intrusion detection, etc. Encryption is a critical part of a defense-in-depth strategy, and protecting encryption keys is the most important part of an encryption strategy. Regardless of the operating systems in your application Virtual Machines, your solution should provide encryption key management, key retrieval, and encryption services for your business applications and databases running in your VMware infrastructure.

7. Monitor VMware Administrative Activity

Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security workgroup that contains other third party security applications such as Townsend Security’s Alliance Key Manager.

For additional information on securing Alliance Key Manager for VMware, our encryption key management solution, request the VMware Resource Kit containing the Guidance Document and other valuable resources:

Resource Kit: Encryption and Key Management in VMware

As solutions and implementations vary a great deal, always consult with a security specialist and compliance auditor for specific guidelines for your industry and environment! Just contact us to get started!

Topics: Compliance, Data Security, Encryption Key Management, Defense-in-Depth, VMware, Resource Kit

The Definitive Guide to AWS Encryption Key Management
 
Definitive Guide to VMware Encryption & Key Management
 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all