Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

VMware and SQL Server Encryption

Posted by Michelle Larson on Dec 12, 2014 9:38:00 AM

Questions and Answers on Encryption and Key Management Projects

VMware® is hands-down the virtualization choice of large and small organizations, and it is easy to see why. Not only is it a highly reliable and scalable platform, VMware also provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines.

Earlier this month, Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data on Microsoft SQL Server in VMware environments, steps to encrypting data on SQL Server (with and without TDE), as well as talk about Townsend Security’s Alliance Key Manager for VMware. Here are a few highlights (download the podcast for the whole conversation):Podcast: VMware and SQL Server Encryption

Paul Taylor: We’ve talked about the Townsend Security encryption and key management solutions for VMware. Today let’s put the focus on Microsoft SQL Server and encryption in the VMware customer environment. Can you give us an overview of how VMware customers can protect data in SQL Server databases?

Patrick Townsend: Just to recap, we really need two things to get encryption right: A key management solution to protect the critical encryption keys, and an encryption solution for the SQL Server database. And they have to talk to each other.

For the first part, our Alliance Key Manager for VMware solution provides a fully functional, enterprise key management solution that protects SQL Server databases as well as other databases and other operating systems.

For encrypting SQL Server, our Alliance Key Manager solution comes with a full Microsoft SQL Server Extensible Key Management Provider. We call this Key Connection for SQL Server and it is one of the modules that our key management customers receive without paying additional license fees. Key Connection for SQL Server provides the encryption and integration with our key server to provide a complete, end-to-end solution for encrypting data in the SQL Server database.

Paul Taylor: Can you talk a little about how Microsoft enables encryption in SQL Server?

Patrick Townsend: If you are running SQL Server Enterprise Edition or higher, you have access to Microsoft’s automatic, full database encryption facility called Transparent Data Encryption, or TDE. You also have access to Microsoft’s automatic, column level encryption facility which Microsoft calls Cell Level Encryption. Both of these options, TDE and Cell Level Encryption,  are implemented without any programming work at all. And both are fully supported by Alliance Key Manager and the Key Connection for SQL Server software from Townsend Security.

Paul Taylor: What about Microsoft customers who aren’t using the Enterprise Edition of SQL Server? Can they encrypt their data with the Townsend Security solution?

Patrick Townsend:  With SQL Server Standard and Web Editions we provide two paths to encrypt data. The first is to use SQL Views and Triggers along with our .NET DLL to provide automatic encryption without any changes to applications. And the second path is to modify your C# or Java applications to use our .NET DLL to perform encryption at the application level.

Both approaches leverage our Microsoft .NET DLLs to perform encryption with integrated key management. Both are very simple to implement. And there are no additional license fees to deploy and use our Microsoft .NET DLLs to accomplish this.

Paul Taylor: So, walk me through the steps for encrypting data in my SQL Server Enterprise Edition database. How difficult is it?

Patrick Townsend: Encrypting data in Enterprise SQL Server is really very easy. The first step is to install our Alliance Key Manager for VMware solution. It launches like any other virtual machine using the normal VMware applications and you can have a key management solution up and running very quickly.

The second step is to install the Key Connection for SQL Server application on the virtual machine running SQL Server in Windows. This is a normal install process with an MSI file. You answer some questions, install a certificate and private key in the Windows Certificate Store, and run a handful of commands to start SQL Server TDE encryption or Cell Level Encryption. You also restart the log file to be sure that it is encrypted as well. That’s about it.

Of course, you will want to follow the instructions on how to set up a high availability key server, and point your Key Connection for SQL Server configuration to it as failover. That is a normal configuration process and also very easy to do. We find that VMware customers can deploy SQL Server encryption very quickly.

Paul and Patrick also cover which versions of SQL Server are supported, the availability of Alliance Key Manager in other platforms (hint: it’s quite versatile), and our 30-day evaluation program (you can do a full proof-of-concept in your own environment at no charge). Be sure to download the podcast to hear the rest of their conversation:

Podcast: VMware and SQL Server Encryption

Topics: Data Security, Encryption, Security Insider Podcast, Encryption Key Management, VMware, SQL Server

VMware and SQL Server Encryption – We Can Do That

Posted by Patrick Townsend on Dec 2, 2014 9:44:00 AM

VMware is hands-down the virtualization choice of large and small organizations. And it is easy to see why. Not only is it a highly reliable and scalable platform, but VMware provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines. And did I mention that it totally rocks the scalability challenge?

SQL Server Resource Kit on Encryption & Key ManagementLet’s look at how VMware customers who run Microsoft SQL Server applications can enable encryption and key management to protect sensitive data and meet compliance regulations.

First Step:

We have to solve the encryption key management challenge. As we like to say around here, the hardest part of security is encryption, and the hardest part of encryption is key management. We have to store the encryption keys separate from the protected data, and use industry standard practices to protect them. With our Alliance Key Manager for VMware solution we make this problem easy to solve. Our key manager comes in a ready-to-deploy OVA format and VMware customers can just launch the key manager with standard VMware tools. Of course, there are some security best practices on how to properly deploy a security application like a key manager in VMware (see the resources section below). With Alliance Key Manager’s Ready-To-Use options you can have your VMware key management problem solved in just SECONDS.

Of course, some of our VMware customers want to protect encryption keys in traditional Hardware Security Modules (HSMs). No problem, Alliance Key Manager can be deployed as a rack-mounted HSM or as a vCloud instance.

The Second Step:

Now we want to enable encryption in SQL Server and protect the encryption keys with Alliance Key Manager. Thanks to Microsoft’s Extensible Key Management (EKM) interface, this is incredibly easy. Alliance Key Manager comes with EKM Provider software that plugs right into SQL Server to enable encryption and protect your encryption keys. We call this our Key Connection for SQL Server application and it installs on your SQL Server VMware instance using a standard MSI install process. Key Connection for SQL Server runs in all SQL Server environments including VMware, hardware, vCloud, and cloud platforms so hybrid environments are fully supported. Install the credentials, select the SQL Server instances you want to protect, answer some questions, type a few commands and you have a fully protected SQL Server database using Transparent Data Encryption (TDE). Again, this takes just minutes to accomplish.

SQL Server also supports column level encryption, which Microsoft calls Cell Level Encryption. It can provide better performance for some SQL Server databases. Yes, that’s also supported through the same Key Connection for SQL Server software.

The beauty of the Microsoft EKM architecture is that you don’t need to modify your SQL Server applications to deploy encryption. Your DBA and security team can get your data protected very quickly without a development project. Anybody got budget for that these days?


Already encrypting SQL Server but aren’t protecting your encryption key? That’s easy – you can install Key Connection for SQL Server, issue a few commands, and the problem is solved!

The Third Step:

What about high availability, business recovery, clustered configurations, and system logs? We’ve got all of that covered, too. Using the same Key Connection for SQL Server EKM Provider (did I mention that it’s free?) you can configure one or more secondary key servers that function as high availability failover servers for business recovery? Key Connection for SQL Server will automatically failover to secondary key servers if the primary key server is unavailable.

Alliance Key Manager also fits nicely into your active monitoring strategy. You can easily enable forwarding of all key access, key management, encryption, and system activity logs to your log collection server or SIEM solution.

Celebrate Victory and Do It Again!

Alliance Key Manager protects Oracle, IBM, MySQL and other databases as well as web applications and unstructured data. You get to deploy one key management solution to protect everything. And do you know how much it will cost you to do your next project? Nothing, zilch, zed, nada! Alliance Key Manager does not force you to license and pay for client-side applications.


I’ll talk more in future posts about how to protect other databases and applications in VMware environments. Stay tuned if you run SharePoint, Microsoft CRM or ERP applications, Oracle, or open source databases like MySQL and SQLite.

How Much Better Can This Get?

You can evaluate Alliance Key Manager and Key Connection for SQL Server in your own VMware environment free of charge. Just visit our Alliance Key Manager for SQL Server page and request a free 30-day evaluation.

Encryption and key management? We can get this done right!


PCI SSC Virtualization Guidelines

VMware Solution Guide for Payment Card Industry (PCI)

Securing Alliance Key Manager for VMwar

Alliance Key Manager for VMware Solution Brief

Resource Kit: Encrypting Data on SQL Server



Topics: Alliance Key Manager, Encryption, VMware, SQL Server

How To Meet PCI DSS Compliance With VMware

Posted by Michelle Larson on Sep 25, 2014 3:12:00 PM

Take the right steps to meet compliance in a virtualized environment

VMware encryption key managementWith executives looking to conserve resources by moving their organizations databases and IT environments to virtualized platforms and to the cloud, there are concerns around virtualized environments. Security best practices and compliance regulations call for sensitive data to be protected with encryption and that data-encrypting keys (DEK) be physically or logically separated from the sensitive data and protected with strong key-encrypting keys (KEK). Depending on what type of information is being stored and what industry guidance your project/company falls under, compliance regulations in addition to PCI DSS may apply.

The Payment Card Industry Data Security Standard (PCI DSS) is one of the most rigorous and specific set of standards established to date and is used by many organizations as a standard to secure their systems. PCI DSS applies to all organizations that store, process, or transmit cardholder data, regardless of volume. This includes merchants, service providers, payment gateways, data centers, and outsourced service providers.

Here is a high level look at all twelve items that must be met in order to be compliant, with three new requirements in PCI DSS 3.0 (**) that warrant mentioning as being most relevant to the use of VMware and cloud technologies in a PCI-regulated infrastructure:

Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data

(3.0) **Req. 1.1.3: "[Maintain a] current diagram that shows all cardholder data flows across systems and networks."

Requirement 2: Do Not use vendor-supplied defaults for system passwords and other security parameters

(3.0)** Req. 2.4: "Maintain an inventory of system components that are in scope for PCI DSS."

Protect Cardholder Data

Requirement 3: Protect stored cardholder data*

* Requirement 3 specifically addresses the need for encryption and key management, stating:

“Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.”

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Identify and authenticate access to system components

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that address information security for all personnel

(3.0) ** Req. 12.8.5: "Maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity."

It can seem overwhelming at first, but the PCI Security Standards Council (PCI SSC) website contains this documentation along with a number of additional resources to assist organizations with their PCI DSS assessments and validations. Within the latest documentation by the PCI Security Standards Council (v3.0 released November 2013) specific testing procedures and guidance is given for Requirement 3 on pages 34-43.

Fortunately, there are also standards and published guidance on running payment applications in a virtualized environment:

Payment Card Industry Data Security Standard: Virtualization Guidelines and Cloud Computing Guidelines

NIST SP 800-144: Guidelines on Security and Privacy in Cloud Computing

Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing

While virtual technology is not limited to VMware, it is one of the most commonly used and supported architectures by many cloud service providers. In addition to the PCI compliance and cloud guidelines above, VMware worked with CoalFire, a QSA auditing firm, to create guidance on how to specifically deploy payment applications in a VMware environment. You can access the CoalFire document from the VMware website here.

As platform virtualization becomes a more popular solution, executives need to remain vigilant with their data security and meeting compliance requirements. We can help make the transition to VMware easy with our Alliance Key Manager for VMware solution, which meets the PCI recommendations when deployed properly in a VMware environment. We are committed to helping businesses protect sensitive data with industry standard NIST compliant AES encryption and FIPS 140-2 compliant encryption key management solutions.

To learn more about enterprise key management for VMware and vCloud, download our podcast "Virtualized Encryption Key Management".

Podcast: Virtualized Encryption Key Management

Topics: Alliance Key Manager, PCI DSS, Encryption Key Management, VMware, Virtualized Encryption Key Management, Podcast, PCI, Cloud Security

Virtual Encryption Key Management - 5 Things to Look For

Posted by Liz Townsend on Jan 28, 2014 4:52:00 PM

Virtual encryption solutions are becoming more and more popular with organizations that are now running their applications and data centers on virtual machines and in the cloud. Although a traditional hardware security module (HSM) for key management may still be the most convenient encryption key management solution for some companies, a virtual encryption key management solution is ideal for companies who are moving to virtual machines and the cloud in order to reduce cost and complexity. Even in virtual and cloud environments, you must protect your sensitive data and manage your encryption keys in order to meet retail, healthcare, and financial regulations such as PCI-DSS, HIPAA/HITECH, and GLBA/FFIEC.

Listen to the Podcast on Key Management Options

Of course, choosing a virtual key management and cloud-based encryption vendor can be difficult. Heck--encryption key management has a reputation for being difficult in itself. That’s why when choosing a virtual encryption key management solution, it’s important to look for these four differentiating factors:

1. Free 30 day trial any time of the year. Any company who offers a free thirty day trial for only a limited period of time may not be giving you a chance. Sure, installing a virtual encryption key manager is faster and easier than deploying an HSM in your data center, but the backend decision making and evaluation in your company may take at least several weeks, if not months. Look for a virtual solution that you can deploy fast, but without the pressure of a limited trial, and when you’re ready.

2. Client side applications and SDKs. Every company’s IT infrastructure is different. One of the most frustrating aspects of adopting an encryption key management solution can be roadblocks associated with needing specialized solutions or software development kits (SDKs). Today many organizations utilize both a cloud solution as well as physical hardware. Your encryption key management vendor should provide you with resources to make securing these systems easy. Better yet, they should be free.

3. Help you move to any cloud service. The cloud is always growing. With so many different cloud vendors available to you, you’ll want the power to decide which cloud you choose to move to. Your virtual encryption key management vendor should be able to support your move to the cloud whether you decide to move to VMware’s vCloud, Windows Azure, or Amazon Web Services (AWS).

4. World-class, enterprise level encryption key management for businesses of any size. Cost should not be a barrier to security. Choosing a virtual encryption key management solution can be difficult, especially when you’re faced with a tight budget. You should always ask your potential encryption key management vendor about their pricing model--do they price per key manager instance as well as additional costs per connection? Can they scale their solution to meet your company’s needs?

5. Personal attention & world-class service. Bigger isn’t always better. In the complicated world of encryption and encryption key management, you want a vendor who can move fast, pay attention to detail, and be there for you in times of need.

Townsend Security offers NIST FIPS 140-2 compliant virtual encryption key management with the added bonus of specializing in scalable solutions to meet the needs of any size of company. Free 30 day trials have been and will always be available for all of our solutions during any time of the year.

Alliance Key Manager for VMware, vSphere, and vCloud, and Alliance Key Manager for Windows Azure provide full life-cycle management of encryption keys to help organizations meet PCI DSS, HIPAA, and FFIEC compliance in virtual and cloud instances.  With built-in key replication, key retrieval, and administrative controls, Alliance Key Manager virtual machine is a secure, reliable, and affordable key management solution for a wide variety of business applications and databases.  Additionally, Alliance Key Manager supports on-appliance encryption and decryption services so that your encryption key is always kept separate from the data it protects. We provide free client side applications and SDKs to make deployment faster and easier than ever.

Listen to the Podcast on Key Management Options

Topics: Encryption Key Management, VMware, Virtualized Encryption Key Management

7 Reasons Why Using VMware Makes Key Management Easier Than Ever

Posted by Liz Townsend on Jan 16, 2014 4:42:00 PM

Every business is trying to save money and reduce complexity in their IT departments, and many are accomplishing this today by using virtual machines such as VMware and moving to the cloud. With these technologies they can consolidate resources and “rent” space in the cloud to run their applications. However, this can be a dangerous move for businesses with applications and servers that contain sensitive information that must be protected under industry regulations such as PCI-DSS, GLBA/FFIEC, and HIPAA/HITECH. That’s why encrypting this data in virtual environments and in the cloud is critical.

How-to-Guide Key Management Best Practices eBoHowever, businesses need to remember that encryption is only half of the solution. They must securely manage their encryption keys as well. How can they accomplish strong key management in a VMware instance, you ask? With virtual encryption key management, of course. 

Virtual encryption key management is available to VMware users, and will make your decision to move to virtual environments easier than ever. If your concern over data security is preventing you from using a virtual environment, there are 7 reasons why choosing a virtual key manager can help you make that step.

1. Strong and defensible security in the virtual world - Encryption key management is required or strongly recommended by most industry regulations. This is because in today’s cyber environment, just using strong passwords and firewalls to deter hackers is not enough. Encrypting data at it’s source and using strong key management is the only way to prevent data loss and exposure. If a hacker or malicious users gain access to the encrypted data, and the keys are protected, then the data will be “scrambled” and useless to the intruder.

2. Less expensive - Virtual environments were designed to help businesses reduce costs and complexity by allowing them to run multiple operating systems on a single piece of hardware Instead of having to buy a hardware system for each operating system. The cost of virtual key management is also less expensive since it has no hardware components and is installed directly onto the virtual platform.

3. Less complex - Without the burden of hardware, virtual encryption key management is easier to deploy than the traditional hardware security module (HSM).

4. Helps you meet compliance - If meeting compliance regulations is a concern, encryption key management for VMware will get you in line with several compliance requirements such as PCI-DSS and GLBA/FFIEC. You should always use  NIST FIPS 140-2 compliant key management software to ensure your key management meets the highest standards.

5. Data protection where you need it - Every business’ IT environment is different. Even if you are moving to a virtualized environment for most of your applications, you may still want to run some databases and applications with very sensitive data on their own dedicated servers. If you choose to, you can manage your encryption keys for that data using the virtual key manager as well.

6. Virtual HA and failover - With virtual encryption key management you can choose to use virtual machines for your high availability (HA) and/or failover key managers as well. Of course you can always choose the option of using an HSM for these services as well.

7. Prepares you to move to the cloud -  The amazing thing about virtual environments is that once you have your data center running in them, moving them to the cloud is a piece of cake. In fact, VMware supports a direct move from VMware to vCloud. Many businesses with sensitive data opt for a private cloud option which offers a little more peace of mind; however, most cloud providers including public vCloud are acceptable if you are using encryption and strong key management to protect your data in the cloud!

Townsend Security’s Alliance Key Manager for VMware enables enterprises to lower operational costs, meet compliance requirements, deploy encryption key management in the cloud, and accelerate deployment of mission critical security technology through a virtualized encryption key manager. Alliance Key Manager for VMware supports VMware ESX, VMware vSphere (ESXi), and vCloud Townsend Security is a VMware Technology Alliance Partner (TAP).

Request the Key Management Best Practices How-to-Guide

Topics: Encryption Key Management, VMware, Cloud Security

5 Critical Features to Look for in a VMware Encryption Key Manager

Posted by Liz Townsend on Aug 9, 2013 11:45:00 AM

Even though technology has evolved to reduce cost and complexity in our IT infrastructure through virtualization and cloud computing, these technologies have also introduced new concerns and complications around data security. The main reason security and IT professionals are so concerned about virtualization and the cloud is that these environments share resources. In a virtualized environment, a single application will share resources with every other application including RAM, disk storage, memory, and CPU. In a cloud environment, these same resources are shared amongst multiple users.

VMware encryption key management

A fundamental fact to acknowledge if you’re using virtualized, hosted, or cloud services is that the companies who provide these services are not required to protect your data. In fact, you should never assume that they are doing just that. When it comes to meeting compliance regulations such as PCI, HIPAA/HITECH, or GLBA/FFIEC, the burden of compliance falls upon individual companies and organizations. If organizations want meet compliance and protect their data from a data breach, they need a powerful, certified, and industry standard data protection strategy.

When it comes to protecting sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII), it is a recognized fact that only using network security protocols such as firewalls and strong passwords is not enough to protect data from outside intruders. The Payment Card Industry Security Standards Council (PCI-SSC) knows this, which is why they require the use of strong encryption and encryption key management to protect credit card data.

Once you realize this, then you should also consider your options when choosing an encryption key manager. An encryption key manager will generate and protect your encryption keys and should include these five critical features:

  1. Certifications. Is the encryption key manager NIST FIPS 140-2 validated? The National Institute of Standards and Technology (NIST) is governmental organization that sets the highest standard for encryption and encryption key management. A FIPS 140-2 level compliance means that your key manager has been heavily tested and will stand up to scrutiny in the event of a data breach.
  2. Virtualization and Cloud Compatibility. Even if you haven’t moved to virtualized environments or the cloud, it is very likely that someday you’ll consider these options. You want to choose an encryption key manager that can securely protect your encryption keys “in-house,” and will move with you to virtualized environments or the cloud when you’re ready.
  3. A Key Manager that Uses Best Practices. Encryption key management best practices are not outrightly required by many compliance regulations, but they are critical to a successful data security strategy. Protocols such as dual control and separation of duties should be implemented in your encryption key manager as a part of its operability. This is the only way to truly protect data and protect yourself in the event of a data breach.
  4. Easy to Deploy. Encryption and key management has a reputation for being incredibly difficult. That may have been true ten years ago, but today encryption key management can be easy to deploy in your organization, depending on your provider. Keep in mind your vendor’s ability to deploy key management in multi-platform environments, in your own IT infrastructure as well as cloud and virtualized environments, if it’s easy enough to install and deploy yourself, and if your key management vendor provides supplemental code and encryption libraries free of charge.
  5. World Class Technical Support. Choosing an encryption key manager and deploying it is a big decision. Choose a key manager with a reputation for amazing technical support.

Townsend Security’s Alliance Key Manager for VMware now supports VMware and vCloud.

Podcast: Virtualized Encryption Key Management

Topics: Encryption Key Management, VMware, Virtualized Encryption Key Management

Encryption Key Management for VMware’s vCloud

Posted by Liz Townsend on Aug 1, 2013 9:57:00 AM

Three questions to ask yourself when choosing encryption key management for vCloud

Businesses are moving more and more data to the cloud, and in our world, more data floating around in the cloud means more concern about securing sensitive data. It is no surprise to anyone that a single business can processes millions of pieces of sensitive data every day. From credit card numbers to social security numbers and protected health information (PHI), retail, financial, and healthcare organizations are processing this data in greater numbers than ever before.

VMware encryption key managementStoring data in the cloud is one way businesses are conserving resources. Another way they are doing this is with platform virtualization. VMware is one of the most popular and widely used virtualization solutions currently used by enterprises. Alongside their virtualization software, VMware also supports the vCloud architecture that allows users to seamlessly move their workloads to a hosting or cloud vendor that supports this architecture.

Securing data in a virtualized environment introduces new security concerns, simply by the fact that applications processing sensitive data share resources such as memory, disk storage, and central processing units (CPU) with other applications on a physical machine. If a business decides to move their data to vCloud, this introduces even more concerns around the fact that a cloud environment shares these resources with other people and businesses as well.

Security professionals agree that security should be the number one concern for businesses moving data to the cloud. No one should ever assume that their cloud provider is protecting their data, especially if you need to meet compliance regulations such as PCI-DSS, GLBA/FFIEC, or HIPAA/HITECH. The only way to protect sensitive data in the cloud is by implementing a data security plan that includes strong encryption and encryption key management.

Townsend Security recently released Alliance Key Manager for VMware. This encryption key management solution is identical to our FIPS 140-2 compliant Alliance Key Manager hardware security module (HSM) for database encryption and is compatible with vCloud architecture to provide powerful data security for data in the cloud. This versatile instance of our encryption key manager works with any cloud or hosting provider that supports VMware vCloud architecture.

When choosing a third-party encryption key management provider to secure your data in vCloud, it is important to ask yourself these three questions:

1. Is it cost effective?
Businesses are looking towards simplified and scalable data storage solutions to reduce cost and conserve resources. Virtualization and cloud services serve businesses by providing cost-effective options for data storage and processing. Your encryption and key management should not thwart your goals to reduce cost and complexity in your business. You need solutions that will scale with your transition to virtualization and the cloud and that will work seamlessly in these environments. One of our fundamental beliefs is that budget should not be a barrier to good data security!

2. Will your encryption key management move with you to the cloud?
Not all businesses have moved to the cloud. However, as the cloud becomes more and more prevalent as well as cost effective, it’s important to keep in mind that you might decide to migrate to the cloud in the future. This migration can either be relatively simple or a huge headache depending on how cloud-compatible your software and hardware providers are. Choosing sophisticated solutions that are prepared to move with you to the cloud and will provide you with thorough technical support is critical to your success.

3. Will your key management prepare you for a breach?
In today’s data climate, a data breach for most businesses is no longer a matter of “if,” but, “when.” The only way to secure a breach, prevent data loss, and avoid data breach notification is by using strong, industry standard, and certified encryption and encryption key management. You’ll want your encryption key management solution to implement key management best practices that go above and beyond industry certifications. Certifications are often a low bar in data security, and implementing best practices will increase your security posture tremendously. Your encryption key management should be NIST FIPS 140-2 compliant if you want your data security to stand up to scrutiny in the event of a breach.

To learn more about enterprise key management for VMware and vCloud, download our podcast "Virtualized Encryption Key Management."

Podcast: Virtualized Encryption Key Management

Topics: Encryption Key Management, VMware, Virtualized Encryption Key Management

VMware and PCI DSS Compliance

Posted by Patrick Townsend on Jul 24, 2013 1:44:00 PM

Is your VMware Instance PCI DSS Compliant? Look to PCI and VMware for Guidance.

VMware encryption key managementPlatform virtualization is becoming a more and more popular solution for companies trying to conserve resources, and VMware is leading this transition as the most popular virtualization platform available. However, there are still many concerns around data security in virtualized environments. Naturally, many people are concerned about PCI compliance when running in a VMware environment. In this case, most of the questions about PCI compliance are in the context of the PCI Data Security Standard (PCI-DSS) and PCI Payment Application Data Security Standards (PA-DSS).

Fortunately, the PCI Security Standards Council (PCI-SSC) has already weighed in on this question and has published clear guidance on running payment applications in a virtualized environment. Version 2.0 of the document is available from the PCI website and directly accessible here.

Of course, this guidance does not mention VMware specifically. It is designed to address the issues related to any virtualization technology such as Microsoft Hyper-v, Xen, and any others. However, VMware is the de facto standard for virtualization in data centers and is deployed by many cloud service providers who support the vCloud architecture. So it is natural that there are many questions about PCI compliance with VMware.

First it should be said that anyone running VMware for their line of business applications should read the PCI guidance BEFORE they start to deploy applications that store or process payment transactions. The procedures you use to deploy business applications in a VMware context are almost certainly not going to meet PCI requirements. So, if you are thinking about doing this, take a deep breath and do some research first.

Fortunately, we have some good guidance from PCI as well as VMware on the topic of PCI compliance. VMware worked with CoalFire, a QSA auditing firm, to create guidance on how to deploy payment applications in a VMware environment. The document follows closely the PCI virtualization guidance, and will be an invaluable resource as you start your project. You can access the CoalFire document from the VMware website here.

describe the imageWith these two documents in hand, and with the guidance of  your QSA auditor or security consultant, you can achieve good compliance with PCI recommendations.

PCI also offers guidance on running encryption key management solutions in a VMware context. There are some obvious points such as the recommendation that you NOT run your key management application in the same hardware and VMware hypervisor context. You will be glad to know that Townsend Security’s Alliance Key Manager for VMware solution meets the PCI recommendations when deployed properly in a VMware environment. We recently released our Alliance Key Manager solution as a VMware appliance, and we are committed to helping businesses achieve PCI compliance with industry standard encryption and encryption key management.


Podcast: Virtualized Encryption Key Management

Topics: VMware, Virtualized Encryption Key Management

Simplified Encryption Key Management in Virtual Environments

Posted by Liz Townsend on Jul 22, 2013 2:38:00 PM

Businesses are virtualizing their IT infrastructure to save time, money, and manage many other resources that often go unused in IT environments. Virtualization of data centers evolved from the basic principles of resource sharing used in hosting and cloud environments. Virtualization enables businesses to have more efficient data center operations. With multiple operating systems running on a single server, multiple applications can also run on that server which in the long run allows a company to reduce the number of servers that they run and maintain. 

VMware encryption key management

However, virtualization introduces new security concerns for companies that must protect sensitive data. Because virtualization allows businesses to run multiple applications on the same server, the encryption of sensitive data must work in conjunction with the virtualization platform. For businesses such as retailers and banks who run payment and financial applications on virtualized operating systems, they must encrypt sensitive credit card and financial information on their virtualized platforms, which requires a specialized third-party security solution.

Previously, companies would encrypt data on a server by server basis, using a single key management server to securely provide encryption keys to multiple servers on the network. The new infrastructure that virtualization brings into play, however, has caused encryption key management to need a different approach. New security concerns such as shared disk storage, network infrastructure, processing CPU components, need to be addressed.

Townsend Security has addressed the concerns in a new version of our encryption key manager, Alliance Key Manager for VMware. Alliance Key Manager for VMware is a NIST and Payment Card Industry (PCI) compliant virtual instance, identical to our original Alliance Key Manager hardware security module (HSM) that is in use by over 3,000 customers worldwide.

Simplified and Cost Effective Data Security

If you’re trying to reduce costs by moving to virtualized environments, implementing powerful data security that helps you meet compliance regulations doesn’t have to negate those efforts. Just like you choose virtualization to reduce costs in the long run, you can choose an encryption and key management solution that does the same, at a lower upfront cost. Townsend Security’s Alliance Key Manager for VMware is a specialized version of our key manager that allows you to encrypt data and securely manage encryption keys in a virtualized environment.

Alliance Key Manager for VMware manages encryption keys throughout the key lifecycle from the generation of those keys to their activation and use all the way through to retirement and deletion of keys.

Meet Compliance Regulations

Key management complianceBy themselves, applications running VMware aren’t PCI compliant. Companies using VMware to reduce costs and consolidate their IT infrastructure still need to take responsibility for their own PCI compliance. Thankfully, VMware has made achieving PCI compliance through third-party security solutions easy with open architecture and standard APIs. VMware also recognizes the need for security in virtualized environments and has gone so far as to team up with CoalFire, a QSA auditing firm to publish guidelines for achieving PCI compliance in a virtual environment.

Many people believe that their hosting company is protecting their sensitive data. In actuality, it is never safe to assume your hosting company is doing this. Individuals and companies are responsible for protecting their own sensitive data. If you’re hosting in a virtualized environment, there are some hosting companies who have passed an infrastructure certification for compliance regulations, but they are few and far in between. In order to achieve compliance, businesses must review PCI standards and implement data security controls such as encryption and key management

Alliance Key Manager for VMware works in vCloud as well as any hosted environment that supports vCloud.  If you are moving your virtualized environment in the cloud, Alliance Key Manager for VMware will support this migration and can provide you with powerful encryption key management for the cloud.

Podcast: Virtualized Encryption Key Management

Topics: Encryption Key Management, VMware, Virtualized Encryption Key Management

The Definitive Guide to AWS Encryption Key Management
Definitive Guide to VMware Encryption & Key Management


Subscribe to Email Updates

Recent Posts

Posts by Topic

see all