Townsend Security Data Privacy Blog

Townsend Security and Alliance Key Manager Achieves VMware Ready™ Status

Posted by Luke Probasco on Jan 22, 2019 12:01:00 AM

Townsend Security, today announced that its Alliance Key Manager for VMware has achieved VMware Ready status. This designation indicates that after a detailed validation process Alliance Key Manager for VMware has achieved VMware’s highest level of endorsement and is supported on VMware ESXi  (all supported versions, vSphere 6.5 and later, and vSAN 6.6 and later) for production environments.

Encryption and Key Management for VMware - Definitive Guide “We are pleased that Townsend Security and Alliance Key Manager for VMware qualifies for the VMware Ready logo, signifying to customers that it has met specific VMware interoperability standards and works effectively with VMware cloud infrastructure. This signifies to customers that Alliance Key Manager for VMware can be deployed in production environments with confidence and can speed time to value within customer environments,” said Kristen Edwards, director, Technology Alliance Partner Program, VMware.

By using Alliance Key Manager for VMware with VMware ESXi (all supported versions, vSphere 6.5 and later, and vSAN 6.6 and later) organizations can centrally manage their encryption keys with an affordable FIPS 140-2 compliant encryption key manager. Further, they can use native vSphere and vSAN encryption to protect VMware images and digital assets at no additional cost. VMware customers can deploy multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability.

“By achieving VMware Ready status with Alliance Key Manager for VMware, Townsend Security has been able to work with VMware to bring affordable encryption key management to VMware customers and the many databases and applications they run in VMware,” said Patrick Townsend, CEO of Townsend Security. “Meeting data security compliance in VMware vSphere is now easier than ever.”

The VMware Ready program is a co-branding benefit of the Technology Alliance Partner (TAP) program that makes it easy for customers to identify partner products certified to work with VMware cloud infrastructure. Customers can use these products and solutions to lower project risks and realize cost savings over custom built solutions. With thousands of members worldwide, the VMware TAP program includes best-of-breed technology partners with the shared commitment to bring the best expertise and business solution for each unique customer need.

Townsend Security and Alliance Key Manager for VMware can be found within the online VMware Solution Exchange (VSX) at https://tsec.io/VMwareReadyPR. The VMware Solution Exchange is an online marketplace where VMware partners and developers can publish rich marketing content and downloadable software for our customers.

VMware, VSXi, vSphere, vSAN and VMware Ready are registered trademarks or trademarks of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

New call-to-action

Topics: Encryption Key Management, VMware, Press Release, vSphere, vSAN

VMware Encryption: Protecting Data in vSphere & vSAN

Posted by Luke Probasco on Sep 28, 2018 2:35:36 PM

VMware allows customers to use native vSphere and vSAN encryption to protect VMware images and digital assets.  But as we know, to truly protect private data, encryption keys must also be properly stored and managed. I recently sat down with Patrick Townsend, Founder and CEO of Townsend Security, to talk about vSphere and vSAN encryption, deploying multiple, redundant key servers as a part of the KMS Cluster configuration for maximum resilience and high availability, as well as meeting compliance regulations and security best practices for your organization.  Additionally, we talked about Alliance Key Manager for VMware and how it is helping businesses protect their sensitive data.

Podcast: Protecting Data with vSphere & vSAN Encryption

VMware virtualization has been a game-changing technology for IT, providing efficiencies and capabilities that have previously been impossible for organizations constrained within a traditional IT data center world.

It is really great to see VMware, as a company, stepping up to embrace encryption for vSphere and vSAN.  Introduced in vSphere 6.5 and vSAN version 6.6, encryption allows users to protect data at rest. Additionally, there is a really great key management interface, which provides an excellent path to store and manage keys.  While these versions have been out for a while, many customers are just now getting around to upgrading and can take advantage of VMware's native encryption. With VMware, organizations are able to reduce hardware costs, lower operational cost, and provides a clear a path to move to the cloud. With the addition of encryption, you can deploy secure environments where there is less risk of data loss in the event of a breach.

Let’s dive in a little more and talk about vSphere and vSAN encryption.  Can you walk me through how an organization might deploy encryption and key management?

Sure. I think in a typical VMware environment, organizations are already doing some encryption in their applications.  For example, they may be running Microsoft SQL Server in a VM and using Transparent Data Encryption (TDE) to protect the data.  With the new facilities, you now get the ability to encrypt right in the VMware infrastructure itself. There is one thing that I think VMware did really well, and they have proven this over and over again, is that they have laid out a certification process for key management vendors, which gives VMware customers confidence that they are purchasing and deploying a solution that has been vetted by VMware themselves.  Our Alliance Key Manager, for example, has been certified for:

In terms of deploying key management, it is easy. We recommend using both a production key server and a failover key server. vSphere supports KMS cluster configurations which allow you to have a resilient encryption and key management architecture.  Aside from just being a security best practice, we are seeing our customers deploy two servers because they never want to lose access to their encrypted data. The servers synchronize in real-time and have automatic failover capabilities.

VMware-Encryption-Flowchart

You can’t talk about key management without talking about compliance.  Whether it is PCI DSS, GDPR, or state and federal privacy laws, who doesn’t fall under compliance these days?

Yes, good question.  That is probably a very short list these days.  When you look at all the existing compliance regulations around the world, including the new GDPR, you realize that everyone falls under some compliance regulation, and most of us fall under multiple regulations.  Enterprises, big and small, public and private, fall under the same compliance regulations. Additionally, I have heard more from privately held companies that they think they are exempt - which is not true.

So you are correct.  Compliance regulations are driving a lot of uptake in encryption and I would say that lately GDPR is driving the most interest.  If you look at Article 32 and related recitals, the requirement to protect a data subjects information, there is a clear call for encryption. GDPR has put a new focus on the need to protect private data, as well as to take a broad view at what should be considered sensitive data.  It is not just a credit card number or social security number. Information like a phone number or email address can be considered sensitive data.

How is your Alliance Key Manager helping VMware users protect their private data?

Well, we have been helping VMware customers for a number of years  who are encrypting at the application level. Our Alliance Key Manager for VMware runs as a virtual software appliance and is binarily the same as our hardware security module (HSM). What is new, is that VMware opened the vSphere and vSAN and products to support encryption key management. Now VMware users can leverage the same key management solution for both application and VMware infrastructure encryption.

People often ask us, “How is your key manager different than your competitors”?  One thing that makes us stand out is that we are very diligent about meeting compliance requirements (PCI DSS, GDPR, HIPAA, etc.) and industry standards (FIPS 140-2, KMIP, etc.). Years ago, when we partnered with VMware, one of the first things we did was work with VMware and a QSA auditor to achieve a PCI compliance statement.  Customers can now be assured that when they deploy our Alliance Key Manager in VMware that they are meeting PCI compliance.

What else do VMware customers need to know about Alliance Key Manager for VMware?

Alliance Key Manager is a mature product that has been on the market for more than 10 years. It uses the same software that runs inside our Hardware Security Module (HSM), so customers can be confident that they are running exactly the same key management software that is FIPS 140-2 compliant and in use by over 3,000 customers worldwide.  Additionally, the security posture that the key manager allows, as well as the reference architecture that VMware provides, really gives VMware customers a road map to doing a secure installation.

The other thing that I think a lot of people might not realize is, that when they deploy Alliance Key Manager, they have our entire library of client side applications, SDKs, and sample code available to them.  For example, we have a Microsoft SQL Server TDE encryption component, support for MongoDB via KMIP, and sample SDKs for languages like Java, PHP, Python, etc. All of that comes along with the key manager and makes it easy to address security requirements.

Finally, I’d like to mention our partnership with VMware.  We are diligent about maintaining our certifications with Alliance Key Manager.  Doing this brings a level of confidence to the product for our customers. Prior to starting an encryption project they may be a little leery of key management because they have heard that it may be complicated.  That was true in the past. In fact, today it is actually extremely simple to deploy. Another barrier that we have knocked down is the scalability issue. Our solution works across multiple platforms - AWS, Azure, VMware or as an HSM.  They all talk to each other, and if one goes down, another will automatically fail over. That gives VMware customers the ability to be extremely flexible about how they deploy key management. It is not uncommon that our customers will deploy an application in the cloud, deploy a key manager in AWS, and then mirror those keys back to their on-premise VMware infrastructure. All of this is really straightforward and simple to deploy.

To hear this conversation in its entirety, download our podcast Protecting Data with vSphere & vSAN Encryption and hear Patrick Townsend further discuss protecting data in vSphere and vSAN with encryption and key management.

Evaluation: Alliance Key Manager for VMware

Topics: Encryption, VMware, vSphere, vSAN

Townsend Security Extends Alliance Key Manager to Support vSphere Encryption of VM Images and vSAN

Posted by Luke Probasco on Sep 14, 2018 8:06:28 AM

VMware users can now protect VM Images and vSAN with Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager.

New Call-to-action Townsend Security is excited to announce that its new version of Alliance Key Manager fully supports VMware vSphere encryption for both VMware virtual machines (VMs) and for VMware Virtual Disk (vDisk). VMware users have been using Alliance Key Manager to protect data in application databases and applications to meet PCI DSS, GDPR, HIPAA compliance as well as other data privacy regulations. Now VMware users can use the same Alliance Key Manager solution with vSphere to protect virtual machines and virtual disks. Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.  

“Our customers have been using Alliance Key Manager to protect data in Microsoft SQL Server, MongoDB and other environments for many years. Now VMware users can have confidence that Alliance Key Manager can also protect VMware virtual machines and virtual disk to achieve the highest level of data-at-rest protection,” said Patrick Townsend, CEO of Townsend Security. “VMware users are looking for certified solutions that support their complex Windows and Linux environments without the need to deploy additional hardware-based HSMs. We are happy to announce this extension of our key management solution to help VMware vSphere users achieve a high level of data protection.”

VMware users are looking for affordable solutions that provably meet compliance regulations and which fit their budget and deployment goals. Alliance Key Manager meets this goal by providing NIST FIPS 140-2 compliance, PCI-DSS certification, and Key Management Interoperability Protocol (KMIP) compliance out of the box. Existing Alliance Key Manager customers can upgrade at no cost to extend their data protection compliance requirements to vSphere. New customers can deploy Alliance Key Manager without the fear of increased, unplanned licensing costs in the future.

In addition to PCI DSS, compliance regulations such as the European Union General Data Protection Regulation (GDPR), the HIPAA data security regulation, and many other data protection regulations, require the encryption of data at rest. Alliance Key Manager combined with vSphere encryption are the protection methods  to help you meet these regulatory requirements. “Don’t be fooled by vague language in the GDPR regulation. You must act to protect sensitive information of individuals in order to meet this regulatory requirement. You should act now to protect your organization,” said Townsend.

Alliance Key Manager for VMware is available for a free 30-day evaluation.

VMware-vSphere-Encryption

 

VMware Encryption eBook

Topics: Alliance Key Manager, VMware, Press Release

IBM SoftLayer, VMware and Getting to the Secure Cloud

Posted by Patrick Townsend on Aug 1, 2016 8:27:33 AM

VMware customers have experienced some frustration around cloud migrations for quite some time. While VMware has attempted to provide a path to the cloud through their vCloud strategy, substantial barriers have made the migration difficult to achieve. While VMware customers have achieved substantial cost and efficiency savings through VMware technologies, they have largely not been able to extend these benefit through cloud migrations. The new IBM and VMware partnership is changing this.

Encrypting Data in IBM SoftLayer There are two aspects of the partnership that make this very different than other cloud offerings for VMware:

  • IBM will create dedicated cloud resources for VMware customers who migrate, essentially creating a private cloud platform. This will alleviate many of the concerns of Enterprise customers about the security of their cloud migration.
  • IBM has negotiated great pricing for VMware applications on the IBM SoftLayer cloud. This will let VMware customers experience an immediate ROI on the cloud migration.

VMware customers have invested a great deal in the architecture and administration of their VMware environments. VMware applications let customers create secure segmented networks, apply security and access controls, monitor the status of their applications, automate business recovery operations, and perform an number of other administrative functions in a coherent and cost-effective manner. Finding a way to the cloud that leverages benefits is crucial for the VMware customer.

I think IBM has found the right path for these customers.

IBM is not the first to attempt to address the needs of the VMware customer. Rackspace and others have cloud migration plans and have been working with VMware customers. But I think IBM SoftLayer has solved some problems that will open the path to VMware in the cloud.

One of the remaining challenges for VMware customers is to get their third-party application and security vendors to embrace this move to the cloud. While the IBM VMware offering is a true native VMware implementation that will reduce the technical issues, software vendors need to be explicit about their support for solutions deployed on a cloud platform. VMware customers can find it confusing and frustrating to get clear statements of support from vendors.

At Townsend Security we are trying to support our customers migrating our products in VMware to the IBM SoftLayer cloud. Our Alliance Key Manager and related encryption products are already validated for deployment in VMware. And we’ve extended our support for the VMware platform by validating our encryption and key management to the PCI Data Security Standard. We now also support the migration or deployment of our solutions in the IBM SoftLayer cloud. This gives IBM SoftLayer customers the confidence of moving their encryption security infrastructure to the IBM SoftLayer platform.

It has been amazing how the PCI-DSS validation of our solutions in VMware have helped VMware customers meet PCI requirements. VMware deserves a lot of credit for creating a formal program for PCI validation on a well-defined VMware reference architecture. Working with Coalfire, a security auditing firm, we were able to very quickly certify our encryption and key management solutions to the PCI-DSS standard. This has helped multiple customers quickly move through the compliance challenge and this applies to the IBM SoftLayer platform, too. Because IBM SoftLayer retains the dedicated resources for the customer, compliance will be easy to achieve.

IBM and VMware have created a great path to the cloud for VMware customers. I know that many challenges will remain for customers with more complex VMware architectures, especially with hybrid environments. But I think the path to the cloud just got a bit straighter and easier.

Patrick

Encrypting

Topics: VMware, Cloud Security

PCI DSS Requirements 3

Posted by Luke Probasco on Jul 22, 2015 12:52:00 PM

NIck Trenc - CoalfireThis is a guest blog by Nick Trenc, CISSP, QSA, PA-QSA, VCP.  Nick is an IT Security Architect at Coalfire Labs.


For those protecting the front lines of our credit card data in merchant environments, few other things keep those in charge (as well as IT administrators) awake at night than the threat of a breach. Questions often arise along the lines of: Will my company be able to survive? What can I do to protect myself? How do I prevent my company from being next? And how do I limit any losses should it happen to us?

VMware Encryption Key Management PCI One of the key components to the protection of cardholder data at any merchant location is the use of strong cryptography along with just-as-strong cryptographic key management procedures. PCI DSS Requirement 3 outlines what the PCI council believes to be the baseline for strong cryptographic key management procedures and is a key element of any PCI DSS audit.

Successful key management with a strong cryptographic algorithm is the best place to start with getting encryption of your cardholder data correctly protected while it is contained within your environment. But key management can be confusing, difficult and downright impossible depending on the size of your environment. Figuring out if your keys are strong enough, or if they are rotated often enough or if they are protected from would-be hackers. On top of that, figure in the ever-increasing complexity of today’s business systems to include cloud, virtual computing, data mining, and others, the ability to quickly and easy manage encryption keys across several platforms and environments becomes key for PCI DSS compliance.

This is where a tool like Townsend Security's Alliance Key Manager (AKM) comes in to play. Available as a physical hardware security module (HSM), a cloud HSM, a virtual appliance (VMware) or in the cloud (AWS, Azure), Alliance Key Manager can help merchants meet PCI DSS requirements for encryption key management by creating, managing, and distributing AES 128-bit, 192-bit or 256-bit encryption keys all without the risks involved with clear-text key administration.

As a QSA, it is certainly encouraging to see a complete encryption solution that removes some of the worries of traditional manual clear-text key management procedures. AKM can relieve pressure to meet portions of PCI DSS Requirement 3 such as the need to render Personal Account Numbers (PAN) unreadable using strong cryptography with associated key-management processes and procedures (PCI DSS 3.4). It directly meets PCI DSS Requirement 3.5.2 to store keys within a secure cryptographic devices such as a HSM along with additional encryption requirements such as 3.6.2 – Secure Key Distribution, and 3.6.3 – Secure Key Storage. In addition, AKM can make PCI DSS Requirements 3.6.6 for Split Knowledge and Dual Control not applicable as there are no manual key-management operations involved. This (virtual) device is a useful cost-effective tool to help meet your PCI DSS compliance.

For more information on using AKM to meet PCI DSS compliance specifically within a virtual environment (but also applicable to most environments), please see the VMware Product Applicability Guide for PCI DSS 3.0 published by Coalfire Systems with collaboration with Townsend Security and VMware.

VMware Encryption Key Management PCI DSS

Topics: Alliance Key Manager, VMware

Overcome Security Challenges with Your VMware Environment

Posted by Michelle Larson on Apr 15, 2015 10:29:00 AM

Prioritize Your Data Security Plan and Encryption Strategy

New Call-to-action Many businesses migrating to VMware environments are storing or processing credit card numbers, financial information, health care data, and other personally identifiable information (PII) in a virtual, shared environment. How does an organization meet industry data security requirements and prevent unwanted access to sensitive data?

In order to achieve a comprehensive data security plan in a VMware environment, organizations should consider the following steps:

Take Inventory of Your Sensitive Data

Every data security project should start by making an inventory of sensitive data in your IT environment. If you do not know where to start, first consider the compliance regulations you fall under. For example, do you process credit cards? If so, you must locate and encrypt primary account numbers (PAN), expiration date, cardholder name, and service codes where they are processed, transmitted, or stored in order to meet PCI compliance. If your company is a financial institution, include Non-Public Information (NPI) about consumers, and if you are in the medical segment, you must also locate all Protected Health Information (PHI) for patients. Finally, locate all data that is considered Personally Identifiable Information (PII) which is any information that can uniquely identify an individual (social security number, phone number, email address, etc.). Business plans, computer source code, and other digital assets should make the list, too.

Once you have a list of the kinds of information that you should protect, find and document the places this information is stored. This will include databases in your virtual machines, unstructured data in content management systems, log files, and everywhere else sensitive data comes to rest or can be found in the clear.

After you have a full inventory of your sensitive data, prioritize your plan of attack to secure that information with encryption and protect your encryption keys with a key management solution. The most sensitive information, such as credit card numbers, medical or financial data, is more valuable to cyber criminals and should be encrypted first. Creating this map of where your sensitive data resides and prioritizing which data to encrypt is not only a requirement for many compliance regulations, but will help to focus your resources as well.  

What to do:

  • Define sensitive data for your organization.
  • Using manual and automated procedures, make an inventory of all of the places you process and store sensitive data.
  • Create a prioritized plan on how you will encrypt the sensitive information affected by compliance regulations.

Implement Encryption and Encryption Key Management

While encryption is critical to protecting data, it is only half of the equation. Your key management solution will determine how effective your data security strategy ultimately is. When encrypting information in your applications and databases, it is crucial to protect encryption keys from loss. Storing encryption keys with the data they protect, or using non-standard methods of key storage, will not protect you in the event of a data breach.

For businesses who are already encrypting data, the most common cause of an audit failure is improper storage and protection of the encryption keys. Doing encryption key management right is often the hardest part of securing data. For this reason, it is paramount to choose a key management solution that is compliant and tested against the highest standards:

  • Your VMware key management solution should be based on FIPS 140-2 compliant key management software (find out if your key management vendor offers FIPS 140-2 compliant key management on the NIST website look it up on the NIST web site.
  • A key management solution should also conform to the industry standard Key Management Interoperability Protocol (KMIP) as published by OASIS. Ask for the KMIP Interoperability Report from the KMIP testing process.

Encrypting sensitive data on your virtual machine protects your data at the source, and is the only way to definitively prevent unwanted access to sensitive data. With VMware environments, businesses that need to protect sensitive data can use encryption and encryption key management to secure data, comply with industry security standards, protect against data loss, and help prevent data breaches.

What to look for:

  • Use industry standard encryption algorithms such as AES to protect your sensitive data. Avoid non-standard encryption methods.
  • Your encryption solution should support installation in any application workgroup that you define for your trusted applications. Be sure your encryption vendor explains any limitations in the VMware deployment.
  • Your encryption key management solution should support deployment in a separate VMware security workgroup. Ideally, the key management solution will include internal firewall support to complement the VMware virtual firewall implementation.
  • Your key management solution is a critical part of your VMware security implementation. It should support active collection and monitoring of audit logs and operating system logs. These logs should integrate with your log collection and SIEM active monitoring systems.

As your IT environment evolves, make sure your key management evolves with you. In addition to support for VMware, be sure your key management solution is available as a hardware security module (HSM), as a Cloud HSM subscription, and as a native cloud application on major cloud service provider platforms such as Amazon Web Services and Microsoft Azure. Even if you do not have these non-VMware platforms today, it is important to consider that the evolution of your IT infrastructure is inevitable. The encryption and key management solutions you deploy today in your VMware data center should be prepared to move to cloud or hosted platforms quickly and seamlessly. A merger, acquisition, rapid growth, competitive challenges, and technology advances can force the need to migrate your solutions to new platforms.

For more detailed information, check out our eBook on VMware Encryption – 9 Critical Components of a Defensible Encryption Strategy:

VMware Encryption eBook

Topics: Alliance Key Manager, Data Security, eBook, Encryption Key Management, VMware

Understanding Encryption and Key Management for VMware

Posted by Michelle Larson on Apr 3, 2015 11:33:00 AM

How to implement solutions that are based on compliance standards and meet security best practices.

As more and more Enterprise businesses move into virtual and cloud environments, they face challenges and security issues in these multi-tenancy situations. VMware customers benefit from the many operational and cost efficiencies provided by VMware virtualization technologies both in traditional IT infrastructure and in cloud environments. VMware Resource Kit for Encryption and Key Management As VMware customers deploy data encryption solutions as a part of their defense-in-depth strategy, the need for compliant encryption key management can present barriers to a good encryption implementation. It is possible to deploy a proper encryption key management solution within the VMware infrastructure without the need for traditional hardware security modules (HSMs) when this approach is appropriate to the security needs of the organization.

Here is some high level guidance on how to deploy and protect a solid encryption and key management solution for VMware within your virtual or cloud environment. While these recommendations are general in nature (actual VMware deployments will use different VMware applications and architectures to meet specific user, application, and security needs) they can provide a good roadmap.

Seven General VMware Recommendations

1. Identify and Document Trusted and Un-Trusted Applications

Properly identifying application groups based on the level of trust is critical for a secure implementation of virtualized applications and encryption key management services. Create and isolate a management cluster for your core VMware applications such as vSphere, vShield, etc. Identify application groups and their associated level of trust, and isolate applications into appropriate workgroups. Avoid mixing trusted and untrusted applications in a workgroup.

You should consider creating a security workgroup to contain your third party security applications such as encryption key management, authentication services, active directory, system logging, and other applications whose primary function is to assist in securing your applications in your VMware environment.

In preparation for properly securing these environments, create an inventory of all Virtual Machines managed in each workgroup. For each workgroup and virtual machine, identify the security controls that will be required for each one (network segmentation, storage segmentation, system logging, active monitoring, etc.). VMware flow tools can assist with this documentation.

2. Restrict Physical Access

Fundamental to all IT security implementations is proper security of the physical environment. This means proper physical security controls and physical monitoring of the data center as well as good auditing and procedural controls. These physical controls should also apply to access of VMware management and security applications. You can look to the PCI Data Security Standards and guidance for information on appropriate physical controls. You can also refer to standard security guidance in SOC 2 and SOC 3 assessments for information on physical controls. When deploying on a cloud platform it is always a good idea to ask the Cloud Security Provider (CSP) for a copy of the PCI letter of attestation, or an SOC 2 / SOC 3 report.

3. Isolate Security Functions

Because security applications are often a target of cyber-criminals, you should isolate them into their own security workgroup and implement the highest level of VMware security. Only trusted VMware administrators should have access rights to the encryption key management solution, system logs, and audit reports. Be sure to actively monitor access to and use of all encryption key management, key retrieval, and encryption services.

4. Change VMware Default Passwords

Review all VMware applications used to secure and manage your VMware environment and change the default passwords as recommended by VMware. The failure to change default passwords is one of the most common causes of security breaches.

5. Implement Network Segmentation

Network segmentation is easy to accomplish with VMware network management and security applications and you should implement network segmentation to isolate applications that process sensitive information from applications that do not require as high a level of trust. Additionally, you should provide network segmentation for all third party security applications such as your encryption and key management solution. Network segmentation should include all high availability and business recovery infrastructure. Do not rely on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.

6. Implement Defense in Depth

The VMware management and security applications provide for a high level of security and monitoring. They also provide hooks and integration with third party security applications that provide system log collection, active monitoring, intrusion detection, etc. Encryption is a critical part of a defense-in-depth strategy, and protecting encryption keys is the most important part of an encryption strategy. Regardless of the operating systems in your application Virtual Machines, your solution should provide encryption key management, key retrieval, and encryption services for your business applications and databases running in your VMware infrastructure.

7. Monitor VMware Administrative Activity

Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security workgroup that contains other third party security applications such as Townsend Security’s Alliance Key Manager.

For additional information on securing Alliance Key Manager for VMware, our encryption key management solution, request the VMware Resource Kit containing the Guidance Document and other valuable resources:

Resource Kit: Encryption and Key Management in VMware

As solutions and implementations vary a great deal, always consult with a security specialist and compliance auditor for specific guidelines for your industry and environment! Just contact us to get started!

Topics: Compliance, Data Security, Encryption Key Management, Defense-in-Depth, VMware, Resource Kit

VMware Encryption - 9 Components of a Defensible Encryption Strategy

Posted by Liz Townsend on Feb 11, 2015 2:37:00 PM

VMware Encryption eBook We all know encrypting sensitive data such as customer, employee, and business critical data is not only crucial to protecting your company’s assets, encryption is also required by industry regulations such as the Payment Card Industry Security Standards Council (PCI SSC) and GLBA/FFIEC. Today businesses are turning to VMware virtual machines and the cloud to reduce cost and complexity within their IT environments. When companies set out to encrypt sensitive data that is stored or processed in VMware, meeting industry regulations is top of mind. Businesses also sometimes assume that meeting the encryption requirements of a regulation will protect them from a data breach as well. Unfortunately, passing a data security audit does not always guarantee a strong defense to a data breach. Where data is encrypted and how it is encrypted is often subjective to the auditor, and where one auditor might give your encryption solution a passing grade, another might fail you. If you are only looking for a passing grade, you may be implementing the bare minimum requirements. When you consider the possible deviation between one auditor to the next, it becomes clear that meeting compliance is often a low bar.

At Townsend Security we help our customers not only meet compliance, but achieve a level of security in their VMware environment that will protect them in the event of a data breach. Our new eBook, “VMware Encryption: 9 Critical Components of a Defensible Encryption Strategy,” discusses nine strategies for ensuring your VMware encryption strategy is strong enough to protect your business in the event of a data breach.

Download this eBook to learn more about these critical components and more:

1. Establish a VMware Security Roadmap
The first step in securing your VMware environment is to establish a security roadmap. Determine how encryption and key management in VMware fit into a holistic security plan, and assess security requirements that compliance regulations mandate. Assess your level of risk tolerance for the types of data you want to protect. It’s important to keep in mind that compliance regulations may not mandate the protection of some data, such as email addresses and passwords; however, you may want to encrypt this data in order to protect your brand and reputation should this data get breached. At an IT level, like other security applications that perform intrusion detection/prevention, and active monitoring, you should deploy your encryption key management virtual machine in a separate security workgroup and provide administrative controls in the same way as for other VMware and third party security applications. [Download the eBook to read more]

2. Inventory and Prioritize Sensitive Data
Every encryption project should start by making an inventory of sensitive data in your IT environment. The first step is to define “sensitive data.” Sensitive data is any customer or internal data that you must protect in order to meet compliance requirements or protect your customers, employees, and yourself from data theft and fraud. The scope of what is considered “sensitive data” and how hackers use data to commit fraud is growing. However, if you do not know where to start, first consider the compliance regulations you fall under. [Download the eBook to read more]

3. Use Industry Standard AES Encryption
Encryption protects your data at the source and is the only way to definitively prevent unwanted access to sensitive data. Academic and professional cryptographers have given us a number of encryption algorithms that you can use to protect sensitive data. Some have interesting names like Twofish, Blowfish, Serpent, Homomorphic, and GOST; however, it is critical in any professional business to use encryption algorithms accepted as international standards. Many compliance regulations require the use of standard encryption, such as AES, a globally recognized encryption standard, for encrypting data at rest. [Download the eBook to read more]

4. Encryption Key Management

Many organizations that encrypt sensitive data fail to implement an adequate encryption key management solution. While encryption is critical to protecting data, it is only half of the solution. Your key management will determine how effective your encryption strategy ultimately is. When encrypting information in your applications and databases, it is crucial to protect encryption keys from loss. Storing encryption keys with the data they protect, or using non-standard methods of key storage, will not protect you in the event of a data breach. For businesses that are already encrypting data, the most common cause of an audit failure is improper storage and protection of the encryption keys. [Download the eBook to read more]

Download “VMware Encryption: 9 Critical Components of a Defensible Encryption Strategy,” to learn 5 more critical components! Learn how to protect your customers, secure your business assets, avoid regulatory fines, and protect your brand.

VMware Encryption eBook

Topics: Encryption, Encryption Key Management, VMware

Securing Alliance Key Manager for VMware

Posted by Michelle Larson on Dec 23, 2014 11:00:00 AM

An Introduction to Townsend Security's VMware Guidance Document

VMware customers benefit from the many operational, and cost efficiencies provided by VMware virtualization technologies both in traditional IT infrastructure and in cloud environments. As VMware customers deploy data encryption solutions as a part of their defense-in-depth strategy, the need for encryption key management can present barriers to a good encryption implementation. This article provides high-level guidance, general in nature, on how deploy and protect Alliance Key Manager for VMware within your VMware environment. Actual VMware deployments of Alliance Key Manager for VMware will use different VMware applications and architectures to meet specific user, application, and security needs.

General VMware Recommendations VMware Resource Kit for Encryption and Key Management

Identify and Document Trusted and Un-Trusted Applications

Properly identifying application groups based on the level of trust is critical for a secure implementation of virtualized applications and encryption key management services. Create and isolate a management cluster for your core VMware applications such as vSphere, vShield, etc. Identify application groups and their associated level of trust, and isolate applications into appropriate application workgroups. Avoid mixing trusted and untrusted applications in a workgroup.

You should consider creating a security workgroup to contain your third party security applications such as encryption key management, authentication services, active directory, system logging, and other applications whose primary function is to assist in securing your VMware environment. Encryption key management services provide by Alliance Key Manager should be implemented in this separate security workgroup used for critical, non-VMware security applications.

In preparation for properly securing these environments, create an inventory of all Virtual Machines managed in each workgroup. For each workgroup and virtual machine, identify the security controls that will be required for each one (network segmentation, storage segmentation, system logging, active monitoring, etc.). VMware flow tools can assist with this documentation.

Restrict Physical Access

Fundamental to all IT security implementations is proper security of the physical environment. This means proper physical security controls and physical monitoring of the data center as well as good auditing and procedural controls. These physical controls should also apply to access to VMware management and security applications. You can look to the PCI Data Security Standards and guidance for information on appropriate physical controls. You can also refer to standard security guidance in SOC 2 and SOC 3 assessments for information on physical controls. When deploying on a cloud platform it is always a good idea to ask the Cloud Security Provider (CSP) for a copy of the PCI letter of attestation, or an SOC 2 / SOC 3 report.

Isolate Security Functions

Because security applications are often a target of cybercriminals, you should isolate them into their own security workgroup and implement the highest level of VMware security. Only trusted VMware administrators should have access rights to Alliance Key Manager, system logs, and audit reports. Be sure to actively monitor access to and use of all encryption key management, key retrieval, and encryption services.

Change VMware Default Passwords

Review all VMware applications used to secure and manage your VMware environment and change the default passwords as recommended by VMware. The failure to change default passwords is one of the most common causes of security breaches.

Implement Network Segmentation

Network segmentation is easy to accomplish with VMware network management and security applications and you should implement network segmentation to isolate applications that process sensitive information from applications that do not require as high a level of trust. Additionally, you should provide network segmentation for all third party security applications such as Alliance Key Manager. Network segmentation should include all high availability and business recovery infrastructure. Do not rely on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.

Implement Defense in Depth

The VMware management and security applications provide for a high level of security and monitoring. They also provide hooks and integration with third party security applications that provide system log collection, active monitoring, intrusion detection,etc. Encryption is a critical part of a defense-in-depth strategy, and protecting encryption keys is the most important part of an encryption strategy. Regardless of the operating systems in your application Virtual Machines, Alliance Key Manager will provide encryption key management, key retrieval, and encryption services for your business applications and databases running in your VMware infrastructure.

Monitor VMware Administrative Activity

Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security workgroup that contains other third party security applications such as Alliance Key Manager.

For more detailed information, read the entire VMware Guidance Document and other materials available in this VMware Resource Kit: 

Resource Kit: Encryption and Key Management in VMware

Topics: Data Security, Encryption, Best Practices, Encryption Key Management, VMware, Resource Kit, Cloud Security

VMware and SQL Server Encryption

Posted by Michelle Larson on Dec 12, 2014 9:38:00 AM

Questions and Answers on Encryption and Key Management Projects

VMware® is hands-down the virtualization choice of large and small organizations, and it is easy to see why. Not only is it a highly reliable and scalable platform, VMware also provides a complete set of tools you need to deploy, manage, monitor, and protect virtual machines.

Earlier this month, Paul Taylor with Security Insider - Podcast Edition spoke with our founder, Patrick Townsend about encrypting data on Microsoft SQL Server in VMware environments, steps to encrypting data on SQL Server (with and without TDE), as well as talk about Townsend Security’s Alliance Key Manager for VMware. Here are a few highlights (download the podcast for the whole conversation): Podcast: VMware and SQL Server Encryption

Paul Taylor: We’ve talked about the Townsend Security encryption and key management solutions for VMware. Today let’s put the focus on Microsoft SQL Server and encryption in the VMware customer environment. Can you give us an overview of how VMware customers can protect data in SQL Server databases?

Patrick Townsend: Just to recap, we really need two things to get encryption right: A key management solution to protect the critical encryption keys, and an encryption solution for the SQL Server database. And they have to talk to each other.

For the first part, our Alliance Key Manager for VMware solution provides a fully functional, enterprise key management solution that protects SQL Server databases as well as other databases and other operating systems.

For encrypting SQL Server, our Alliance Key Manager solution comes with a full Microsoft SQL Server Extensible Key Management Provider. We call this Key Connection for SQL Server and it is one of the modules that our key management customers receive without paying additional license fees. Key Connection for SQL Server provides the encryption and integration with our key server to provide a complete, end-to-end solution for encrypting data in the SQL Server database.

Paul Taylor: Can you talk a little about how Microsoft enables encryption in SQL Server?

Patrick Townsend: If you are running SQL Server Enterprise Edition or higher, you have access to Microsoft’s automatic, full database encryption facility called Transparent Data Encryption, or TDE. You also have access to Microsoft’s automatic, column level encryption facility which Microsoft calls Cell Level Encryption. Both of these options, TDE and Cell Level Encryption,  are implemented without any programming work at all. And both are fully supported by Alliance Key Manager and the Key Connection for SQL Server software from Townsend Security.

Paul Taylor: What about Microsoft customers who aren’t using the Enterprise Edition of SQL Server? Can they encrypt their data with the Townsend Security solution?

Patrick Townsend:  With SQL Server Standard and Web Editions we provide two paths to encrypt data. The first is to use SQL Views and Triggers along with our .NET DLL to provide automatic encryption without any changes to applications. And the second path is to modify your C# or Java applications to use our .NET DLL to perform encryption at the application level.

Both approaches leverage our Microsoft .NET DLLs to perform encryption with integrated key management. Both are very simple to implement. And there are no additional license fees to deploy and use our Microsoft .NET DLLs to accomplish this.

Paul Taylor: So, walk me through the steps for encrypting data in my SQL Server Enterprise Edition database. How difficult is it?

Patrick Townsend: Encrypting data in Enterprise SQL Server is really very easy. The first step is to install our Alliance Key Manager for VMware solution. It launches like any other virtual machine using the normal VMware applications and you can have a key management solution up and running very quickly.

The second step is to install the Key Connection for SQL Server application on the virtual machine running SQL Server in Windows. This is a normal install process with an MSI file. You answer some questions, install a certificate and private key in the Windows Certificate Store, and run a handful of commands to start SQL Server TDE encryption or Cell Level Encryption. You also restart the log file to be sure that it is encrypted as well. That’s about it.

Of course, you will want to follow the instructions on how to set up a high availability key server, and point your Key Connection for SQL Server configuration to it as failover. That is a normal configuration process and also very easy to do. We find that VMware customers can deploy SQL Server encryption very quickly.

Paul and Patrick also cover which versions of SQL Server are supported, the availability of Alliance Key Manager in other platforms (hint: it’s quite versatile), and our 30-day evaluation program (you can do a full proof-of-concept in your own environment at no charge). Be sure to download the podcast to hear the rest of their conversation:

Podcast: VMware and SQL Server Encryption

Topics: Data Security, Encryption, Security Insider Podcast, Encryption Key Management, VMware, SQL Server