Townsend Security Data Privacy Blog

VMWARE MARKETPLACE IS GREAT FOR VENDORS

Posted by Patrick Townsend on Aug 4, 2022 1:15:36 PM

Townsend Security has been a VMware partner for many years. I’ve always found their technical and marketing teams great to work with. A decade ago we started with a basic partnership, then achieved a PCI Data Security Standard validation of Alliance Key Encryption Strategies for VMware Environments Manager through their partnership with Coalfire, and then achieved certified status of our key manager with VMware encrypted VMs and vSAN. Now we are working towards an enhanced marketplace presence where our customers can actually purchase our key manager through the VMware marketplace portal.

Here is a blog that we wrote together and just published on the VMware blog:

https://blogs.vmware.com/tap/2022/07/21/vmware-marketplace-benefits-from-a-partners-point-of-view/

If you are a VMware partner and have a solution that enhances the VMware customer environment you should really look at the new marketplace features!

Patrick Encryption Key Management for VMware Cloud Providers

Topics: VMware, vSAN, vSphere Encryption

IT's OFFICIAL - ENCRYPTION FOR RANSOMWARE PROTECTION

Posted by Patrick Townsend on Jun 15, 2021 3:22:26 PM

If you’ve been following this blog recently you know that I’ve been advocating for the use of encryption to help prevent ransomware attacks. Ransomware attackers have been adapting to the new reality that a lot of companies have deployed good backup strategies to recover their files. Without that leverage the attackers can’t extort payments for recovery of your systems.

So, what are they doing now? They are exfiltrating your sensitive data and using that as additional leverage. 

Encryption Strategies for VMware Environments Oh, you have backups and you don’t want to pay? OK, we took your sensitive data and we are going to publish it. Do you have secret intellectual property or business plans? Do you have sensitive medical information on your patients? Do you have sensitive information about children in your care? 

Under this kind of pressure many ransomware victims decide to pay the ransom. 

That’s why it is important to encrypt your data before a ransomware attack. If the attacker can’t read your data because it is encrypted they can’t threaten to release it.

It has been frustrating to me that most security recommendations on how to protect yourself from a ransomware attack omit the step of encrypting your data first.

But that has now changed! And it is long overdue.

Here is what President Biden’s new executive order recommends (emphasis added):

What we urge you to do now:

Implement the five best practices from the President’s Executive Order:President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack. 

And  more ...

And this:

For Federal Agencies:

Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.

Encryption is not the only thing you need to do, but it is a critical part of a ransomware protection strategy. It is heartening to see this being recognized.

There is some good news: Encryption is fast, easy and affordable. If you are a small or midsize organization you will be glad to know that there is an affordable solution for your encryption strategy. Encryption and encryption key management are no longer the headaches they once were. You or your IT Support organization can address your encryption needs in a rapid manner. 

If you are an IT Support Provider or Managed Service Provider trying to help your customers with security, you are going to love our MSP Partner program. Affordable key management for VMware and the cloud, usage-based billing, and no upfront fees. You will be profitable from the first customer. More information here: 

https://townsendsecurity.com/msp

Ransomware attacks can be devastating to an organization, but you have tools to protect yourself. Give us a call.

Patrick

References:

https://image.connect.hhs.gov/lib/fe3915707564047b761078/m/1/8eeab615-15a3-4bc8-8054-81bc23a181a4.pdf

https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/

Encryption & Key Management for VMware Cloud Providers

Topics: Alliance Key Manager, Encryption, Encryption Key Management, VMware, Ransomware, MSP

Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program [Part 8 of 8]

Posted by Patrick Townsend on Nov 11, 2020 11:25:00 AM

Can I also resell Alliance Key Manager?

VMware Cloud Providers & MSPs - Win New Business Yes, you can operate as an MSP and also as a reseller partner for those customers who are not using your MSP services. Reselling Alliance Key Manager is governed by a different agreement. Contact us if you have a resale opportunity.

I need to have our legal team review your MSP agreements. How is this done?

Just contact us. We will send you a copy of the MSP license agreement for legal review. 

We would like to use a copy of the key manager for training and customer demos. How is this done?

We will gladly support your internal training and demo needs. We do this through special Not For Resale (NFR) licenses. All MSP and Reseller partners qualify for NFR licenses for our key manager. There is no charge for NFR licenses.

How do you handle special bids?

While we believe that the MSP program provides you with a lot of flexibility, we understand that special bids are sometimes needed. Contact us to discuss the special bid requirements. We work with our partners around special bids on a frequent basis.

Are volume discounts available?

Yes, if you have a very large number of VMs to encrypt and would like to pay in advance for those we have a discount program available. 

How can I get started?

This web page has information about our MSP partner program and a form to get started. Complete the form and we will get in touch with you:

https://townsendsecurity.com/msp

You can also contact us by email and phone:

Email: sales@townsendsecurity.com
Phone: (360) 359-4400
International: +1 360 359 4400

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

How Can an MSP Use Encryption Security to Improve Revenues and Profitability? [Part 7 of 8]

Posted by Patrick Townsend on Nov 9, 2020 11:19:00 AM

Almost everyone considers encryption a sunk cost. You almost never see any type of Return On Investment (ROI) calculation when it comes to Key Management Server (KMS) systems. Acquiring a KMS system usually falls into the Capital Expense financial category when it comes to budgeting.

Let me change your thinking about KMS systems!

VMware Cloud Providers & MSPs: Winning New Business with Encryption and Key Management Webinar Here is a simple financial calculation based on a fictional MSP business. Let’s assume that as an MSP you charge your end customer $50 per month per managed VM. If you are managing 50 VMs for your customer your gross revenue for that customer is $2,500 per month.

However, you have costs, too. Hardware, VMware licenses, IT experts, administrative costs, etc. Let’s just guess that this might add up to $1,250 per month, or half of the gross revenue. Your margin after direct costs might be $1,250. 

This example is probably extremely generous in terms of your gross margin. I suspect that your costs are probably higher and margins much lower. But let’s run with this example where gross margins are 50% of revenue.

Imagine that you become a Townsend Security MSP Partner and pay $5 per month per encrypted VM on a usage basis. You charge your customer $8 per month per encrypted VM netting $3 per month gross revenue per encrypted VM. The direct costs are very minimal. Your hardware and infrastructure costs are minimal. There are no minimum KMS license fees. There are no extra charges as you expand your use of the KMS. And very minimal IT Expert costs due to the encryption and KMS automation provided by VMware.

You probably just gained an additional $150 in gross margin from this customer. 

That represents a whopping 12% increase in overall gross margin! It is not often that adding one simple service to your business offering can net that much gross margin gain.

This is, of course, a very simplified example. However, I believe that many of our MSP partners are recognizing larger gains as they add VMware encryption to their set of offerings. One MSP partner told me that it is a “no-brainer” for the customer to sign up for the small additional cost per VM for encryption due to its low cost. You can have that experience, too.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Delivering Secure VMware Hosting with Encryption and Key Management

Topics: VMware, MSP

As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs? [Part 6 of 8]

Posted by Patrick Townsend on Nov 4, 2020 11:12:00 AM

Business continuity and resilience is at the heart of the value proposition MSPs provide to their customers. That means that the key management server (KMS) system at the center of VMware encryption must be able to provide real time recovery along with your service strategy. There are several components to a good high availability (HA) strategy, and these vary from one KMS solution to another. Here is how our Alliance Key Manager integrates with VMware to achieve high availability:

KMS Real Time Mirroring

Encryption & Key Management for VMware Cloud Providers Alliance Key Manager implements real-time, active-active key mirroring between a production and one or more high availability key servers. When VMware creates a new key on the KMS for an encrypted VM, that key is immediately mirrored by Alliance Key Manager to a high availability key server. Mirroring is done in real time so that you always have a KMS ready to take over. All transmission of encryption keys is performed over a TLS encrypted connection with mutual authentication, and you have the option to deploy a failover key server in a different vCenter environment.

vSphere KMS Cluster Configuration and Automatic KMS Failover

The purpose of the vSphere module called KMS Cluster is to define your key managers to VMware and to establish trust between vSphere and the key server. A KMS cluster is a list of key servers along with connection and credential information. Normally you would define two key servers in a KMS Cluster – one key server for production use and one key server for failover use. By default, the first entry in the KMS Cluster is the production key server, and failover key servers follow in the order that vSphere will use them. vSphere automatically connects to a failover key server in the event it cannot communicate with the production key server.

You are not limited to one KMS Cluster configuration. If you want to deploy a dedicated key manager for a particular customer you can create a new KMS Cluster configuration and define the dedicated key servers in this new configuration.

KMS Backup, Scheduled and On Demand

It is always a good idea to have a backup of your critical applications. Alliance Key Manager lets you define a schedule for automatic, secure backups. The backup server, usually a Linux instance running sFTP, can be located offsite.

Of course, you can always perform a manual backup on demand. This manual backup can go to a local directory on the key server and be downloaded by the administrator for secure offsite storage.

MSP Backup

Most MSPs offer a backup service to their end customers. Since Alliance Key Manager is a normal VMware virtual machine you can use your current backup strategy to back up the key server, too.

Disaster Recovery as a Service (DRaaS)

If you offer your customers a DRaaS service you can also offer them key management through the Townsend Security MSP partner program. You can deploy a key manager on the customer’s premises and mirror keys to your DRaaS service at your hosting site. 

VMware Monitoring

Lastly, we can’t forget that VMware offers a rich set of tools to monitor the health of VMs. You can use those tools to monitor the health of Alliance Key Manager, too. Your MSP license agreement allows you to install VMware Tools on the key manager server. 

In summary there are a number of layers of high availability built into the deployment of Alliance Key Manager. This will give you and your end customer a high level of confidence in the resilience of your encryption offering.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption & Key Management for VMware Cloud Providers

Topics: VMware, MSP

Key Management Server (KMS) for Multiple vCenter Clusters and Nodes [Part 5 of 8]

Posted by Patrick Townsend on Nov 2, 2020 11:04:00 AM

We often get questions from MSPs about deploying our Alliance Key Manager solution across multiple vCenter nodes. Here is some good news for our MSP partners:

Multiple MSP Hosting or Cloud Locations

VMware Cloud Providers & MSPs - Win New Business Many MSPs operate multiple regional hosting centers. Even small MSPs will typically have two locations in order to support high availability and backup. Each physical location will have one or more vCenter servers. Multiple vCenter clusters are not uncommon at a single data center location. Global MSPs often have to work within a country’s data sovereignty laws. This means a data center in each designated country. This increases the number of key management servers (KMSs) that must be deployed.

Production and High availability Key Servers

Under the Townsend Security MSP partner program, there are no licensing restrictions and you can run as many KMS servers as you wish. This typically means running two key servers in each vCenter environment – one for production and one for high availability (HA) failover. Since the MSP partner program involves a usage based cost model, you can deploy as many KMS servers as you need. You only pay for the encrypted VMs and vSAN directories regardless of physical location and number of key servers.

Customer Dedicated Key Servers

You may find the occasional customer who doesn’t want to share a key server with other customers. VMware makes this easy to accomplish. You can just create a new KMS Cluster definition and add the new production and failover key servers to this configuration. The start encryption of VMs and vSAN for that end customer using this new KMS Cluster configuration. Voila! Since there is no licensing cost for deploying key servers this is a cost effective way of meeting this customer requirement. You just report this customer’s encrypted VMs and vSAN directories during normal monthly reporting.

On-premise to Hosted or Cloud vCenter Nodes

If you are managing an end customer’s on-premise IT infrastructure, you can also deploy Alliance Key Manager on-premise and mirror to a hosted or cloud vCenter node. This is especially helpful to MSPs who are providing Disaster Recover as a Service (DRaas). The production environment can be in the end customer’s data center and you can mirror encryption keys to an Alliance Key Manager failover key server in your own environment. This helps achieve seamless failover for your customer.

Customer Dedicated vCenter Nodes

It is also not uncommon for an MSP to dedicate a vCenter server to a specific customer. That customer may have heightened security concerns, or may not want to share infrastructure with other customers. There may be corporate governance and security restrictions that require this. Again, MSPs only pay for the number of encrypted VMs and vSAN directories, regardless of the number of vCenter clusters and how they are used, and regardless of physical location.

In summary, we provide our MSP partners with all of the flexibility they need to support current customers and attract new customers. VMware encryption is a core security control that your customers demand, and you now have the tools to meet the need.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

How Does Townsend Security Help an MSP Overcome the KMS Challenge? [Part 4 of 8]

Posted by Patrick Townsend on Oct 28, 2020 9:12:00 AM

In this blog series we’ve put the focus on the MSP’s challenges. Now let’s talk about how we at Townsend Security are helping meet those challenges.

Two years ago Townsend Security treated its MSP customers the way most legacy KMS vendors do. That is, we were a part of the problem. Thanks to the coaching and mentoring of some MSP leaders, we came to understand the need for a new approach, and we launched our MSP partner program. 

Key elements of our MSP partner program:

VMware Cloud Providers & MSPs - Win New Business MSPs need confidence in the key management solutions they deploy. Townsend Security has been providing their Alliance Key Manager solution for VMWare for more than 10 years. Alliance Key Manager is certified by VMware for every release of vSphere and vSAN that support encryption, it is FIPS 140-2 compliant, and it is validated to PCI-DSS compliance.

The Townsend Security MSP partner program provides their key management server (KMS) to the MSP with no upfront license fees and no annual minimums. In fact, there is no perpetual or subscription license agreement at all, just a simple end user license agreement tailored for the MSP. The MSP gets training from Townsend Security and deploys the KMS into production. The cost of the solution is based on a low monthly charge per encrypted VM and vSAN directory. Just pay for what you use and nothing else. You can scale up and down your use of the KMS as needed. 

How many KMS servers can you deploy? As many as you want. You can share a KMS server across multiple customers, or deploy a dedicated KMS for a customer. You can deploy the KMS in your hosted environment, in the cloud (AWS, Azure, Google, IBM, etc.), and on the customer’s premises. No license or cost per KMS server, no restriction on the number of keys, no restriction on the number of encrypted VMs

Each month you will report the number of encrypted VMs and encrypted vSAN directories you are managing. Payment is also simple and is made electronically through ACH bank transfer, wire transfer, or credit card. 

Townsend security provides full 24/7 technical support for business interruption issues. There is no extra charge for software maintenance and support. 

It is not just all about technology. We also help you with marketing content, joint webinars, joint podcasts and security reviews. We understand that the typical MSP has a lot on their plate and does not need to spend time on deep security questions. We’ll help answer those tough customer questions about encryption and key management. 

We are committed to helping you be successful. We align with your business, service and revenue models. We will train your team. We will support your technical team. And we will help you with marketing support. Our goal is to lean in and help, and take risks with you. We want to be the KMS partner you’ve always wanted.

MSPs have told me that the current COVID crisis is impacting their business and revenue streams. They are losing some customers and revenue but are seeing increased demand from existing customers. Everyone seems to need more help from the experts. It’s a tough time for MSPs. Now is the time to migrate your existing KMS deployment to Alliance Key Manager and gain predictability and scalability in your KMS costs. It’s easy to do.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

What are the Biggest Obstacles to Offering VMware Encryption to Customers? [Part 3 of 8]

Posted by Patrick Townsend on Oct 26, 2020 12:55:00 PM

MSPs fine tune their services to satisfy customers. You are the experts in configuring, deploying, monitoring and protecting the customer’s sensitive applications and digital assets. The services you offer are crucial to organizations large and small.

So why don’t MSPs lead by offering VMware encryption?

It often boils down to the Key Management Server (KMS).

VMware Cloud Providers & MSPs - Win New Business KMS vendors by and large are stuck on old and costly licensing models. It is not uncommon to find legacy KMS vendors charging in excess of $200,000 for an initial deployment in an MSP’s infrastructure. On top of that there are often additional charges as you do more encryption, and annual maintenance and support fees. This represents a major upfront investment by the MSP with no guarantee of realizing a positive return on that investment. This KMS pricing and licensing model almost assuredly locks out a small to midsize MSP.

Then there is the complexity of most KMS systems. The MSP may have to invest a lot of time and resources in learning how to configure, deploy, and maintain the KMS. An MSP needs technology to be simple. Why? The complexity of end customer systems means that the average MSP has to know dozens or even hundreds of hardware and software application systems well. When you factor in PC, Server, Web, and Remote support, the MSP is responsible for a massive knowledge base and trained internal staff. A complex KMS system is just sand in the gears and another headache. It should be better, and it can be better. 

KMS deployments can also be complex and not match the MSP business model. It is not uncommon for MSPs to charge their end customers a monthly fee based on the number of VMs and vSAN directories under management. When a KMS system requires handholding for each end customer, and uses a legacy pricing model with annual minimum payments and commitments, it becomes a nightmare for the MSP to realize a gain on encryption.

For all of these reasons many MSPs avoid encryption. It is understandable. Here is what one MSP told me before they learned how we approach the KMS need:

“You said the magic words of MSP and Low cost, consumption based! We’ve struggled to find a KMS solution we can properly price and sell to our customers to do VM encryption. Solutions like XXXXXX are prohibitively expensive. Your low cost per encrypted VM per month is very reasonable. I’m glad those MSP’s helped you understand our market and that you were able to see the opportunity. You NEED to be marketing this. You’re solving a problem that MSP’s a) don’t think they can afford to fix, and b) are just ignoring the compliance of because it’s “too hard and too expensive.” I highly encourage you to get the word out through marketing to MSP’s. Thank you, Patrick. You made my day.”

Sound familiar?

In the next blog I will describe how we are solving the KMS headache for MSPs. Not only can we make life easier, encryption can be a profit center for you without tipping over your business or putting you at a competitive disadvantage.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

What Has VMware Done to Help with Encryption Security? [Part 2 of 8]

Posted by Patrick Townsend on Oct 21, 2020 12:15:00 PM

VMware has been very sensitive to the security needs of its Enterprise customers. They know that VMware infrastructure and applications are critical to an organization’s overall security. Network segmentation, access controls, monitoring and many other VMware applications help the MSP protect their customer’s applications and data. When it comes to encryption of sensitive data, VMware has your back, too!

VMware Cloud Providers & MSPs - Win New Business Encryption of VMs was introduced with vSphere 6.5. With this version you could easily select VMs that you want to be encrypted, and quickly and easily start encryption. The MSP VMware administrator can easily see which VMs are encrypted and which were not. Of course, the architecture fit right into the normal VMware architecture. vCenter, vSphere, ESXi all come into play during the implementation and maintenance of the encrypted state of the VMs. A real bonus is that the performance of encrypted VMs is stellar. MSPs rarely need to add additional resources to implement encryption of VMs.

Encryption of vSAN was introduced in vSAN 6.6. The implementation of encryption support is quite different than encryption of VMs, but the encryption key management interface is exactly the same (more on that below). vSAN encryption has been a boon to MSPs. Typically the MSP has relied on storage hardware encryption which often is less expensive, but harder to manage. And encryption key management is generally weak in hardware solutions. Using vSAN lets the MSP integrate the rich set of VMware applications and security. With vSAN encryption you get a flexible place to store commercial and open source databases, big data repositories, and much more. All encrypted efficiently by VMware.

Some MSP customers want to implement TPM to protect their application OS images. Hardware based TPM has many disadvantages in a VMware environment. However, VMware now supports virtual TPM (vTPM) which is much more flexible and resilient in VMware infrastructure. And the good news is that vTPM handles key management in the same was as vSphere encryption of VMs and vSAN encryption of directories. A big plus!

With all of this great support for encryption, how do we properly manage encryption keys? This is a core requirement of compliance regulations and security best practices. VMware handles this well. The key management configuration is provided by the vSphere KMS Cluster configuration. With KMS Cluster configuration you can configure your key management interfaces one time and all of the VMware encryption applications use this definition. And more good news – the interface to key management systems is based on the open OASIS Key Management Interoperability Protocol (KMIP). This means that you have a lot of flexibility and choice in your acquisition and deployment of a KMS for your encryption deployment. (We will talk more about our Alliance Key Manager solution in a following blog).

Key management systems are inherently complex, and the KMIP protocol is also complex. As an MSP you don’t have to deal with this complexity, VMware handles all of the technical implementation. To help VMware customers and partners understand which KMS systems work well with VMware, they make available a certification program for KMS vendors. A KMS vendor who implements the KMIP standard (we are one) can certify their solution for use with VMware. This really sets VMware apart from many infrastructure platform providers. They have made the certification process easy for KMS vendors and publish the results. This means the MSP has an easy way to determine if a key management system is compatible and reliable.

All VMware releases that support encryption also support encryption key management in the same way. This consistency from one release to the next means no disruption to the MSP operating environment after an upgrade, and assurance of the MSP investment in internal training and KMS investments.

Version 7 of VMware now supports a new encryption security interface called Trusted Authority, or vTA. The previous encryption interfaces are still fully supported, but now you have a new option for encryption and key management. vTA offers slightly different architecture and a higher level of security that some organizations need.

All of these features that VMware has implemented make it easy for the MSP to provide encryption support to end customers. In the next blog we will talk about the challenges MSPs face and how to overcome them.

 

[For More Reading]

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption Key Management for VMware Cloud Providers

Topics: VMware, MSP

Why Do MSP Customers Want Encryption of Their VMs and vSAN? [Part 1 of 8]

Posted by Patrick Townsend on Oct 19, 2020 1:15:00 PM

This is the first in a series of blogs on the topic of Managed Service Providers (MSPs) and VMware encryption. They are meant to be read in order as each blog topic builds on the previous topics, and leads to the next. 

Encryption & Key Management for VMware Cloud Providers As an MSP, I hope you will take this journey with me about VMware encryption, the technical and business challenges you are facing, how Townsend Security solves these challenges, and the surprising business benefit waiting for you when you offer your customers encryption under your MSP service umbrella. 

Here is the complete topic list:

  1. Why do MSP customers want encryption of their VMs and vSAN (this blog)
  2. What has VMware done to help with encryption security?
  3. What are the biggest obstacles to offering VMware encryption to customers?
  4. How does Townsend Security help an MSP overcome the KMS challenge?
  5. KMS for multiple vCenter clusters and nodes
  6. As an MSP how do I ensure high availability for encrypted VMs?
  7. How can an MSP use encryption security to improve revenues and profitability?
  8. Some common questions and how to get started with the Townsend Security MSP partner program

Customers of MSPs read almost daily about data breaches and ransomware attacks, and are rightly concerned about the security of their data under the control of the MSP. MSPs are usually the lead security provider for these customers and bring a great deal of expertise to the deployment of security solutions. Let’s explore the some of the concerns and motivations of the MSP end customer:

Regulations, regulations, and more regulations:

In addition to the fear of a data breach, customers are also concerned about regulations like the California Consumer Privacy Act (CCPA), the New York SHIELD Law, HIPAA, PCI-DSS, GDPR, and many others. No one wants to be subject to compliance actions and litigation due to a data breach. It is natural for a business or organization to turn to their MSP for assurance that their sensitive information is safe and security meets compliance regulations.

Business secrets and intellectual property:

In addition to the regulatory concerns, many small businesses and organizations are concerned about the compromise of business secrets and intellectual property. We now know that a number of state actors are aggressively attempting to steal this type of information. While business secrets and IP are a different category of sensitive information, the loss of this information can be devastating to a business or organization. It can take years to develop new ideas and move through the IP protection process. The compromise of this information can destroy the value of a company, and years of work by its employees and investors.

Reputational risk:

Lastly, the loss of any sensitive information can harm the reputation of an organization. If your value to an end customer involves managing aspects of their sensitive information, losing that information can cause irreparable damage to customer trust. We can all think of retailers, credit reporting agencies, government agencies, and many others who have had large data breaches. It affects consumer behavior and can exact a financial penalty for many years. No one wants to suffer reputational damage from a preventable data breach.

A data breach can be an existential event. According to Cybercrime Magazine about 60% of small companies close within 6 months of a data breach. This is an astoundingly high number. If you think about it, the surviving 40% of companies probably experienced a lot of distress recovering from the data breach. How much lost opportunity was there? 

For MSPs, the takeaway is that your customers are concerned about encryption to protect their sensitive data, business secrets, and look to you to provide solutions. How can MSPs turn that into actions that are based on security standards and which provide a justifiable business opportunity?

Stay tuned.

 


 

More Reading

Part 1: Why Do MSP Customers Want Encryption of Their VMs and vSAN?

Part 2: What Has VMware Done to Help with Encryption Security

Part 3: What are the Biggest Obstacles to Offering VMware Encryption to Customers

Part 4: How Does Townsend Security Help and MSP Overcome the KMS Challenge?

Part 5: KMS for Multiple vCenter Clusters and Nodes

Part 6: As an MSP, How Do I Ensure High Availability (HA) for Encrypted VMs?

Part 7: How Can an MSP Use Encryption Security to Improve Revenues and Profitability?

Part 8: Some Common Questions and How to Get Started with the Townsend Security MSP Partner Program

 

Encryption & Key Management for VMware Cloud Providers

Topics: VMware, MSP