VMware virtualization has been a game-changing advancement for the IT industry. It has delivered efficiencies and capabilities that had previously been impossible for organizations struggling with constraints in the traditional IT data center world. When it comes to security, VMware is front and center in helping organizations secure their data from threats through encryption. One solution adds an important layer to VMware’s data security solution by giving enterprise organizations the ability to achieve the second critical function — manage their encryption keys. Use this guide to explore the key concepts of encrypting data in VMware and protecting encryption keys using a third-party enterprise encryption key management.
|Click here to view this eBook offline|
The VMware story began in 1998 when five forward-thinking technologists launched an innovative virtualized computing solution. Shortly there after, it was the first commercially successful company to virtualize x86 architecture. Today VMware is a top-tier cloud computing and virtualization provider, and a popular solution for organizations moving to the cloud. VMware’s desktop software runs on Microsoft Windows, Linux, and MacOS, while its enterprise software hypervisor for servers, VMware ESXi, is a bare-metal hypervisor that runs directly on server hardware without needing an additional underlying OS.
In our increasingly insecure cyber world, VMware understands the critical nature of robust security solutions, including encryption capabilities. However, applying security in a VMware environment introduces unique challenges. Principally, in these environments, systems are no longer dedicated or share a common physical architecture. They also face unique security challenges related to running data processing and storage in the cloud. Questions around deployment and how to get the most out of native encryption tools are often barriers to implementation. These issues not only present new risks for data breaches, but also open up organizations a higher risk of non-compliance with an expanding body of regulatory directives.
Due to these issues and others, security of sensitive data stored and processed on VMware virtual machines (VMs) and in the cloud is a critical concern for many customers. VMware customers need strong encryption and key management solutions that run natively in their virtual environments and provably meet compliance regulations. To provide insight on how to best deploy encryption and encryption key management in VMware, this comprehensive guide overviews the landscape for securing data in a virtual world. If you’d like to first learn the fundamentals of encryption and key management before diving in, view The Definitive Guide to Encryption Key Management Fundamentals.
Deploying vSphere Encryption
With vSphere 6.5 and above, you can now encrypt your virtual machines to help protect sensitive data at rest and to meet compliance regulations. vSphere encryption allows you to encrypt existing virtual machines as well as encrypt new VMs right out of the box.
Additionally, vSphere encryption not only protects your virtual machine but can also encrypt your other associated files. So, how does vSphere encryption work?
- First, install and configure your KMIP compliant key management server, such as our Alliance Key Manager, and register it to the vSphere KMS Cluster.
- Next, you must set up the key management server (KMS) cluster.
- When you add a KMS cluster, vCenter will prompt you to make it the default. vCenter will provision the encryption keys from the cluster you designate as the default.
- Then, when encrypting, the ESXi host generates internal DEKs to encrypt the VMs, files, and disks.
- The vCenter Server then requests a key from Alliance Key Manager. This key is used as the KEK.
- ESXi then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk along with the KEK ID.
- The KEK is safely stored in Alliance Key Manager. ESXi never stores the KEK on disk. Instead, vCenter Server stores the KEK ID for future reference. This way, your encrypted data stays safe even if you lose a backup or a hacker accesses your VMware environment.
Deploying vSAN Encryption
The last and biggest advantage: vSAN encryption is easy to enable and use. This means that securing your sensitive data with AES encryption is not a time-intensive task. To prove the point, here is a quick guide to getting encryption up and running for your vSAN clusters:
- First, install and configure your key management server, or KMS, (such as our Alliance Key Manager) and add its network address and port information to the vCenter KMS Cluster.
- Then, you will need to set up a domain of trust between vCenter Server, your KMS, and your vSAN host.
- You will do this by exchanging administrative certificates between your KMS and vCenter Server to establish trust.
- Then, vCenter Server will pass the KMS connection data to the vSAN host.
- From there, the vSAN host will only request keys from that trusted KMS.
- The ESXi host generates internal keys to encrypt each disk, generating a new key for each disk. These are known as the data encryption keys, or DEKs.
- The vCenter Server then requests a key from the KMS. This key is used by the ESXi host as the key encryption key, or KEK.
- The ESXi host then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk.
- The KEK is safely stored separately from the data and DEK in the KMS.
- Additionally, the KMS also creates a host encryption key, or HEK, for encrypting core dumps. The HEK is managed within the KMS to ensure you can secure the core dump and manage who can access the data.
That’s it! VMware has made encrypting your data in vSAN both simple and secure.
Why Encrypt in VMware
Encrypting virtual machines (VMs) is an important step organizations take to protect their confidential applications and data. Encryption is a mechanism used to protect data by transforming it into an unreadable format, so that it is completely private from anyone not explicitly approved to read it through decryption. Gaining access to encrypted information requires a person or application to possess the “key” to open the encryption formula and convert the data back to its original readable format. In this way, encryption provides a fail-safe mechanism, whereby, if all other cybersecurity measures fail and data is stolen, the information is still protected because it is unreadable and, therefore, useless to the person or machine trying to access it. The data remains secure and compliant. VMware provides several options for deploying encryption functionality.
Townsend Security’s Alliance Key Manager is a FIPS 140-2 compliant enterprise key manager that helps organizations meet compliance requirements and protect private information. The symmetric encryption key management solution creates, manages, and distributes 128-bit, 192-bit, and 256-bit AES keys for any application or database running on any enterprise operating system. Townsend Security deploys ready-to-use security applications for vSphere, MongoDB, Microsoft SQL Server Transparent Data Encryption (TDE) and Cell Level Encryption (CLE), and other applications. We also provide client side applications, SDKs, and sample code free of charge. The solution can be deployed in VMware, the cloud (AWS or Microsoft Azure), or as a hardware security module (HSM).
Protect VMs at Rest and in Transit
One of the advantages of VMs is that they are portable. Pick up a VM image and you can run it on any physical server. However, this also means anyone who has access to the image also has access to its files and data. VMs are also vulnerable when a running machine is transferred to another server. Anyone who has access to the network will also have access to the VM and its data. When using VMware, you can use encryption to protect your VMs both at rest and in transit, just like any other data you store and transmit.
Encryption in VMware
VMware includes encryption in vSphere 6.5, making it easy to encrypt without using third-party hardware or software. The encryption features protect both VMDK images and vMotion transfers of VMs. Encryption is fully managed by the hypervisor, so keys are not known to the VM and there’s no potential exploit in the guest OS. With Alliance Key Manager, you can implement vSphere encryption to protect the VMs at rest, and also implement database encryption to protect the database. In some cases, this will mean multiple layers of encryption, but this provides additional layers of security.
Encrypting VMs relies on keys, so you need to have and encryption key manager (software or hardware) when using VM encryption. Without keys, encrypted VM files cannot be read or executed. When encrypting a VM, the disk files, snapshots, swap files, and dumps are all protected. A few remaining configuration and log files are not encrypted, because they aren’t sensitive or don’t support operations that have to execute the encryption status of the disks. VMware does report some minimal overhead from deploying decryption operations. However, if performance remains a concern, running it on servers that support AES-NI instructions speeds up the encryption process.
When encrypting VMs on vMotion, a random one-time key is generated and sent to the hosts involved in the vMotion process. In this case, it’s not the network that’s protected, but the VM itself. As a result, snooping is not possible. Further, certificates are not required, and users don’t need to worry about network settings. Encrypted VMs require encrypted vMotion, but you can use encrypted vMotion, even on unencrypted VMs. To ensure high availability, VMware uses automatic failover for key management through the definition of vSphere KMS Clusters.
vSphere allows users to control whether encryption is applied to a VM’s virtual disks or configuration files through storage policies. You also have control over who can manage the encryption in VMware. It isn’t necessary, or even advisable, to grant encryption privileges to every VM administrator. Restricting this critical function enhances your security posture.
Compliance Regulations and VMware
For many businesses, moving to the cloud means storing or processing credit card numbers, financial information, healthcare data, and other personally identifiable information (PII) in a virtual, shared environment. The challenge is meeting data security requirements and preventing unwanted access to sensitive data in an environment that is inherently less secure. The lack of compliance and failure to implement and execute a well-planned security strategy may lead to a breach in security resulting in data spillage, data compromise, loss of data integrity, loss of customer trust, legal actions, revenue loss, and even loss of business. Industry and regulatory compliance standards help protect computing assets from multiple security vulnerabilities and misconfigurations, and minimize the risk in execution environments, such as development, test, and production.
With VMware, businesses that want to protect sensitive data can use encryption and key management to secure data, comply with industry security standards, protect against data loss, and help prevent data breaches. When considering encryption options, organizations must consider both governmental and private compliance regulations that require them to protect sensitive information. Most regulations require proper protection of PII. For example, the new European Union General Data Protection Regulation (GDPR) imposes multiple demands upon global companies to protect the personal data of all European Union (EU) residents. The Payment Card Industry Data Security Standards (PCI DSS) requires that credit card numbers be encrypted in storage. The Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Acts (HIPAA/HITECH) require protection of Electronic Protected Health Information (ePHI).
These are just three of the many compliance regulations that today’s organizations must consider in their cybersecurity programs to ensure that they are in continual compliance with all of the relevant regulations as they change and expand.
VMware and GPDR
In response to escalating external and internal threats and uncertainty, lawmakers and regulators around the world have been strengthening their data security compliance requirements, implementing new legal frameworks and levying higher noncompliance penalties. This places organizations at tremendous risk for compliance violations, along with the resulting fines and remediation costs. On May 25th, 2018, the European Union made securing citizens’ data an even bigger challenge for companies doing business that involves handling their citizens’ data. That was launch day for the new European Union General Data Protection Regulation (GDPR),
GDPR has sharper teeth than any other compliance regulation to date. With tighter controls and higher penalties, the new law is poised to enforce data protection beyond the limits of any other compliance regulation. This will permanently impact the way organizations handle consumer data. While other regulations, like PCI DSS and HIPAA, have expanded their rules and enforcement in recent years, it’s likely that GDPR will set a new standard — one that other regulatory bodies will be inspired or compelled to follow. As such, meeting privacy and data residency requirement can become an enormous burden for global enterprises working in EU countries.
The GDPR attempts to unify data protection laws in Europe and ensure that citizens’ rights and protections have a global impact. One area of concern for EU countries, among many, is the fact that U.S.-based cloud vendors can be subpoenaed by U.S. governments to provide access to specific information, even if it resides outside of the U.S. With this regulation, every organization will be forced to comply or face penalties, including damaging fines and even losing the opportunity to work within the EU. Specifically, the GDPR’s “right to be forgotten” rule provides individuals with specific rights to control the processing of their personal data and sets a new standard for protection of an individual’s personal data. Among the EU regulations is the rule that all customer and employee data must not be accessible to anyone outside of their home legal jurisdiction, except when given explicit consent on a per usage basis.
VMware Cloud on AWS has been independently verified by Schellman & Company, LLC, to comply with the GDPR. In the language of the GDPR, when providing services to its customers via the VMware Cloud on AWS service offering, VMware is acting as a “data processor.” VMware’s customers may perform customer-defined data processing activities in relation to their own data within the services and, in doing so, act as “data controllers.” Data controllers may only appoint data processors who provide sufficient guarantees to implement appropriate technical and organizational measures to ensure processing meets GDPR’s requirements. GDPR also requires resilient and recoverable architectures to prevent unavailability of data. To support this directive, key managers should implement HA services to ensure high availability.
Encryption and key management can help meet GDPR’s privacy requirements, as well as citizens’ right of erasure (right to be forgotten). While the EU does not mandate that all organizations encrypt sensitive data, there is an exclusion for subject data breach notification and financial penalties for those organizations that use encryption and other security methods to protect the data. Thanks to VMware’s wide-ranging focus on security, implementing encryption and key management tools will help users meet requirements for GDPR.
VMware and PCI DSS
With all of the security breaches in the news and the occurrence of these incidents becoming more widespread, how can you ensure that your customers’ credit card information remains secure? This is the purpose of Payment Card Industry Data Security Standard (PCI DSS), which impacts all merchants who accept credit cards. PCI DSS requires merchants to protect sensitive cardholder information from loss, and use good security practices to detect and protect against security breaches. The PCI DSS is applicable to all types of environments that store, process, or transmit cardholder data. This includes information such as Primary Account Numbers (PAN), as well as any other information that has been defined as cardholder data by the PCI DSS v3.2. PCI DSS Section 3 outlines requirements for encryption and encryption key management protocols.
Even with this mandatory requirement, a vast majority of organizations still struggle to maintain PCI compliance, and the process is costing companies a great deal both to address the root cause of PCI audit failures and in, often severe, non-compliance fees. By proactively assessing their weakness around PCI compliance, and installing the cybersecurity solutions that can mitigate data breaches, companies will ensure their own data security and, therefore, compliance.
For these reasons, VMware offers a wide range of cybersecurity services and documentation to support and help organizations secure their data. For example, VMware has enlisted its Audit Partners, such as Coalfire, a PCI DSS-approved Qualified Security Assessor, to engage in a programmatic approach to evaluate VMware products and solutions for PCI DSS control capabilities, and then to document these capabilities in a set of reference architecture documents.
VMware also provides customers with access to vRealize Air Compliance, which assesses VMware vSphere-based virtualized environments according to specific compliance standards and risk profiles. Some of the available standards and profiles include multiple versions of the VMware vSphere Hardening Guide, PCI DSS 3.2, and HIPAA technical safeguards. Users can continuously assess their vCenter Server instances, ESXi hosts, VMs, and distributed port groups to ensure that they comply with the technical controls defined in the industry standards.
From a high level, the VMware software-defined data center (SDDC) provides software-defined infrastructures, software-defined networking, and management and security technologies capable of supporting, adhering to, and/or addressing control objectives relevant to PCI DSS to enable platform support of cardholder data environments (CDE). VMware EUC provides secure delivery mechanisms for any application, to any device, anywhere. Further, VMware’s vast network of partners provides added value with technologies capable of being inserted seamlessly and holistically to address additional requirements and enhance security.
VMware and HIPAA
The Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH) outlines data security regulations for the healthcare industry. While the HIPAA/HITECH does not specifically require encryption of sensitive data, a backdoor “safe harbor” mandate states that if a healthcare organization or one of its Business Associates (BA) does experience a data breach, and Protected Health Information (PHI) is not obscured using encryption or some other method, then that organization will be heavily penalized.
This is especially important when the outcomes for noncompliance are extremely critical due to civil and criminal penalties imposed by the Office for Civil Rights (OCR) Department of Health and Human Services (HHS), and the U.S. Department of Justice (DOJ). What’s more, there is a high probability for collateral impact due to failure to protect patient privacy, institutional trust, and economics. In extreme cases of breach or data loss, the fines and penalties are minor compared to the potential for litigation, recompense, and public relations improvements.
Compliance with the HIPAA Security Rules and HIPAA Privacy Rules for Electronic Protected Health Information (ePHI) requires the use of many security technologies and best practices to demonstrate strong efforts towards complying with this federal regulation. The ability to effectively secure ePHI and audit IT and security operations may involve both strong encryption and real-time and historical activity logs that relate to many systems.
VMware recognizes the following as critical areas that must be addressed by each covered entity and BA in the operation of healthcare information systems: security and compliance, the criticality and vulnerability of the assets needed to manage ePHI infrastructures, and the risks to which they are exposed. This approach provides management, IT architects, administrators, and auditors with high degrees of transparency into risks, solutions, and mitigation strategies for moving critical applications to the cloud in secure and compliant ways. By standardizing an approach to compliance and expanding the approach to include partners, VMware provides its customers a proven solution that more fully addresses their compliance needs.
Organizations can reduce the complexity and cost of HIPAA Security Rule compliance by replacing traditional non-integrated products with integrated solutions. To further address this gap, VMware, together with the VMware partner ecosystem delivers compliance-oriented integrated solutions, enabling compliance by automating the deployment, provisioning, and operation of regulated environments. In this way, VMware provides the solution reference architecture, HIPAA Security Rule specific guidance, and software solutions that businesses require to achieve continuous compliance, along with speed, efficiency, and agility for their applications.
Security Beyond Compliance
Along with regulatory compliance, there are many other reasons to optimize data security in VMware — including intellectual property and reputation protection.
Intellectual Property Protection (IP)
Knowledge assets are defined as confidential information critical to the development, performance, and marketing of a company’s core business. IP protection covers a wide variety of corporate capital, including business plans, trade secrets, creative work products (design, development, and pricing), proprietary software or hardware, and competitively valuable or other important information of or about customers, including customer profiles and databases. Hackers, competitors, and nation states are all potential IP thieves. A study on cybersecurity risks to knowledge assets found that 82 percent of companies have failed to detect a breach involving their IP. The study also found dramatic increases in both threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing the threats by the highest-performing organizations.
A study sponsored by VMware and conducted by The Economist Intelligence Unit (EIU) found that reputational risk was C-suite executives’ greatest cybersecurity concern. A company or organization’s brand is the most valuable asset, because it touches all aspects of the enterprise, including growth and revenue. Further, the negative perception extends to a company’s products and services. Cyber attacks are also damaging to a company’s reputation, because it is not contained to the company itself — attacks also expose customers to the risk of identity theft or financial losses. Brand reputation is a fragile asset that, when compromised, is not easy to fix. It can take decades to build your reputation and consumer trust.
Components of a vmware encryption strategy
The most effective way to secure data and ensure a company’s integrity is to deploy encryption. For any encryption deployment, there are two major components:
- Encryption of the sensitive data, usually in a Windows or Linux VM
- Protection of the encryption keys through robust key management solutions
An effective strategy in the VMware environment has to address both of these components. The following section overviews the components so a VMware encryption strategy.
vSphere VM encryption enables creation of encrypted VMs and encrypts existing VMs, along with virtual disks, and host core dump files. Because all VM files that contain sensitive information are encrypted, the entire VM is protected. Only administrators with encryption privileges can perform encryption and decryption tasks. Some files associated with a VM are not encrypted or are partially encrypted, because they don’t contain sensitive information, including log, VM configuration, and virtual disk descriptor files.
Three major components are used for encryption in a VMware Key Management Server, a VMware vCenter Server®, and ESXi Hosts.
Key Management Server (KMS)
Encryption key management is the method used to protect and manage your encryption keys. The vCenter Server instance requests keys from an external KMS. The KMS generates and stores key encryption keys KEKs and passes them to the vCenter Server instance for distribution. As a Key Management Interoperability Protocol (KMIP) client, the vCenter Server system uses that protocol to facilitate use of the chosen KMS.
VMware vCenter Server®
The vCenter Server instance obtains keys from the KMS and transfers them to the ESXi hosts. It does not store or persist the KMS keys, but keeps a list of key IDs. The vCenter Server system checks the privileges of users who perform cryptographic operations. VMware vSphere Web Client assigns cryptographic operation privileges and limits the users who can perform these operations. The vCenter Server system adds cryptography events to the list of events that can be viewed and exported from the vSphere Web Client event console. Each event includes the user, time, key ID, and cryptographic operation.
ESXi Hosts — The ESXi host is responsible for several aspects of the encryption workflow:
- Performs the encryption of VM disks
- Ensures that guest data for encrypted VMs is not sent over the network without encryption
Encryption is performed by the industry-standard OpenSSL libraries and algorithms. VM encryption does not impose any new hardware requirements, but uses a processor that supports the AES-NI instruction set to accelerate encryption and decryption operations if the Intel AES-NI hardware facility is not present, thereby, providing better performance.
NIST STANDARD AES ENCRYPTION
When evaluating your VM solution alongside your encryption key management solution, it’s important to look for certain certifications and validations. One of these is from National Institute of Standards and Technology (NIST): NIST FIPS-197 validates AES encryption. VMware encrypts and decrypts according to NIST-validation. It also manages encryption keys according to NIST guidelines.
Encryption Key Management
FIPS 140-2 certification ensures that the key management software has been tested by third parties to meet the highest standards in key management technology, so you can establish strong key management. VMware OpenSSL FIPS Object Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-2, which details the U.S. and Canadian Government requirements for cryptographic modules. For VMware customers, FIPS 140-2 compliant encryption and key management are a key defense for data security.
Recognizing that each organization must take responsibility for its data no matter where it resides, the NIST standard calls for continuous monitoring of key management. This requires organizations to continuously monitor their environments to ensure their infrastructure, applications, and data remain in a secure state. VMware’s security functionality supports continuous monitoring.
The NIST standard calls for auditing to bring transparency to security operations. Your key management solution needs to support active collection and monitoring of audit and OS logs. The logs should integrate with your log collection and SIEM active monitoring systems. Built-in logging allows administrators to track all key retrieval, key management, and systems activity. In VMware, reports can be sent automatically to a central log management database or SIEM products for a timely and permanent record of activity. A KMS should audit all administrative and user functions, including both successful and failed operations, for security-relevant events. This includes detecting and recording the events, date and time of the events, and the identity or role of the entity initiating the events.
Encryption Key Management
Once data is encrypted, your private information depends on enterprise-level key management to keep that data safe. Without key management, encryption stands alone as only half of a solution. When you leave the keys to unlock your sensitive business and customer data exposed, then you expose your entire organization to the risk of data loss or theft. Encryption key management involves administering the full lifecycle of cryptographic keys and protecting them from loss or misuse. Protection of the encryption keys includes limiting access to the keys physically, logically, and through user/role access.
Encryption Key Lifecycle
A critical administrative component to encryption key management is the ability to manage the complete encryption key lifecycle. NIST defines all stages of a key’s lifecyle, including key generation, pre-activation, activation, distribution, revocation, post-activation, backup, escrow, and deletion. Through an administrative console, security administrators should be able to implement controls that allow access to keys by designating key users or user groups. They should also be able to set automatic key rotation policies, so that keys are retired and rolled over after any period of time. These controls help organizations meet data security requirements for some regulated industries. For example, the PCI DSS outlines key management requirements for cardholders or processors that can typically only be met using an enterprise-level encryption key management solution.
Beyond managing the key lifecycle, an enterprise key manager should actively audit and log all activity and functions performed on the key management server, and record these logs to an external event monitoring or logging server so that malicious activity can be detected in real time. Your key management solution should be compatible with common event-monitoring solutions and export logs in standardized formats in real time. Also, your key management solution should also inherently enforce policy-based security functions that meet key management best practices such as separation of duties and dual control.
Separation of Duties
Separation of duties ensures that no single person controls multiple key management procedures and subsequent distribution of an encryption key. The person requesting the key and the person managing the key should be two different people. Dual control prevents any single person from controlling a key management process. For example, two security administrators should be required to authenticate access to the key server. While these policy-based controls are sometimes optional, they should always be available and easy to implement in your encryption key management solution.
Best Practices for Key Protection
There are several key management best practices that will ensure optimal key management performance and enforcement. On a technological and physical level, encryption keys should be stored in a logically or physically separate hardware or virtual key server, dedicated to performing only key management activities. The key manager should house a FIPS 140-2 validated pseudo-random number generator to create new keys and store those keys in a secure key database. Once generated and in use, encryption keys should be distributed for use over a secure Transport Layer Security (TLS) session using certificates to authenticate the user requesting the encryption key.
Also, enterprise key managers should perform real-time backup and high availability functions to prevent downtime and ensure business continuity. To accomplish this, each key server should perform active-active mirroring to one or more high availability servers as well as perform routine, automated backups to secure storage drives.
Additional Key Management Standards and Validation
VMware allows users to manage encryption keys using a third-party key management vendor through a standard key management protocol called the KMIP. All of VMware’s KMS Certification tests contained in KMS plug-ins verify that the vendor’s KMIP KMS works with vSphere storage encryption feature and vSAN virtual disk. Testing consists of verifying correct behavior of a KMS, ensuring that it does not introduce undesirable impacts on the operation of the system. VMware supports two types of KMIP:
- Switch-Based Encryption — With this method, the data leaves the host and travels in the clear until it reaches a switch, which then performs the encryption before sending the data on to the storage array. The switch might be a Fibre Channel switch or, in the case of NFS, a network switch. The switch typically also integrates with an external, KMIP-compliant key manager.
- Array-Based Encryption — With array-based encryption, the controller in a storage array encrypts the data as it is written to the disks. Encryption can be performed via custom application-specific integrated circuits (ASICs) in hardware or software. In both cases, key management can be achieved via an onboard key manager or through the use of an external KMIP-compliant key manager.
Payment Card Industry Data Security Standard (PCI DSS)
As mentioned earlier, VMware meets the standards of the PCI DSS, which was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. For VMware users who need to meet compliance, Alliance Key Manager has been validated for PCI DSS in VMware by Coalfire, a PCI-qualified QSA assessor and independent IT and audit firm. Additionally, Alliance Key Manager for VMware can also help businesses meet other compliance regulations such as HIPAA, GLBA/FFIEC, FISMA, etc.
With Alliance Key Manager, we have done a lot to help companies deal with the concern about resilience of a key manager, because it is critical infrastructure including the following:
Hardware and Software Resilience
If you are properly protecting keys, an encryption key management solution becomes a part of your critical infrastructure. But if your key manager goes down, your applications stop functioning until you have key management back up. Alliance Key Manager addresses those concerns in a number of ways. One way is that the key manager is built for redundancy. We know that hardware it can fail, so we implement a hardware platform that is resilient and has a lot of redundancy built in. As such, the first layer of keeping an encryption key manager up and running consistently is to have a good hardware platform or run in the cloud.
Backup and Recovery, High Availability, and Mirroring
Real-time mirroring of keys and policy around keys is critical for high availability and recovery. It is important for key management servers to mirror keys between multiple key managers over a secure and mutually authenticated TLS connection for hot backup and disaster recovery support. Organizations can choose to mirror key managers on-premises, in the cloud, or a hybrid of the two. If you have a failed server, a hardware problem, or network outage, you should be able to define fail-over servers and that will take place in real time.
Alliance Key Manager fully supports resilience through real-time mirroring. It is not an operating OS feature. The key server itself has implemented this mirroring capability. It is itself self-healing. So if two key servers are mirroring to each other and the network goes down, they will queue up those mirroring transactions, and when the network comes back, it will re-commit those changes. Alliance Key Manager is a robust facility for making sure you have good backups of your encryption keys.
Active monitoring is one of the core security recommendations to help prevent unauthorized access to sensitive systems and information. It is a requirement of a wide variety of compliance regulations such as PCI-DSS, HIPAA/HITECH Act, and many others. From a security perspective, active monitoring makes it into the SANS Top 20 list of things you should do, and is a key recommendation from the US Cyber Security teams.
Key Management Platforms
VMware vSphere 6.5 introduced policy-based encryption, which simplifies the security management of VMs across large-scale infrastructure, as each object no longer requires individual key management. With vSphere VM encryption, you can create encrypted VMs and encrypt existing ones. Because all VM files with sensitive information are encrypted, the VM is protected. Only administrators with encryption privileges can perform encryption and decryption tasks.
Hardware Security Modules (HSMs)
Since VMware vSphere encryption is Key Management Interoperability Protocol (KMIP) compliant, any HSM that conforms to KMIP should be able to effectively manage the keys. Any HSM that you consider should be FIPS 140-2 compliant. Additionally, you should understand your current level of risk and the regulations that you need to comply with, and purchase the level of security that you will likely need to manage your risk or comply with regulations. Here are the three levels of security that an HSM can provide:
- Tamper Evident: adding tamper-evident coatings or seals on screws or locks on all removable covers or doors
- Tamper Resistant: adding “tamper detection/response circuitry” that wipes out all sensitive data such as DEKs and KEKs
- Tamper Proof: complete hardening of the module with tamper evident/resistant screws and locks along with the highest sensitivity to “tamper detection/response circuitry” that wipes out all sensitive data
As more and more enterprise operations move into virtual and cloud environments, they face multi-tenancy challenges and security issues. VMware customers benefit from many operational and cost efficiencies provided by VMware virtualization technologies both in traditional IT infrastructure and in cloud environments.
Deploying Key management in Vmware
- Identify and document trusted and un-trusted applications. Properly identifying application groups based on the level of trust is critical for a secure implementation of virtualized applications and encryption key management services.
- Restrict physical access. Fundamental to all IT security implementations is proper security of the physical environment. This means proper physical security controls and data center monitoring, as well as robust auditing and procedural controls. These physical controls should also apply to VMware management and security applications access.
- Isolate security functions. Because security applications are often a target of cyber-criminals, you should isolate them into their own security workgroup and implement the highest level of VMware security. Only trusted VMware administrators should have access rights to the encryption key management solution, system logs, and audit reports. Actively monitor access to and use of all encryption key management, key retrieval, and encryption services.
- Change VMware default passwords. Review all VMware applications used to secure and manage your VMware environment and change the default passwords as recommended by VMware. Failure to change default passwords is one of the most common causes of security breaches.
- Implement network segmentation. You should implement network segmentation to isolate applications that process sensitive information from applications that do not require as high a level of trust. Additionally, you should provide network segmentation for all third-party security applications, such as your encryption and key management solution. Network segmentation is easy to accomplish with VMware network management and security applications. Do not rely on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.
- Implement defense in-depth. VMware management and security applications provide for a high level of security and monitoring. They also include hooks and integration with third-party security applications that provide system log collection, active monitoring, intrusion detection, etc.
- Monitor VMware admin activity. Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security workgroup that contains other third-party security applications, such as Townsend Security’s Alliance Key Manager.
Securing a Key Management VM
Encryption Keys for vSAN
vSAN can perform data-at-rest encryption. You can use VMware data-at-rest encryption to protect data in your vSAN cluster. Data is encrypted after all other processing, such as deduplication, is performed. Data-at-rest encryption protects data on storage devices in case a device is removed from the cluster. When you enable encryption, vSAN encrypts everything in the vSAN datastore. Only administrators with encryption privileges can perform encryption and decryption tasks.
Encrypting Virtual Disk
Using encryption on your vSAN cluster requires some preparation. After your environment is set up, you can enable encryption on your vSAN cluster. vSAN encryption requires an external KMS, the vCenter Server system, and your ESXi hosts. vCenter Server requests encryption keys from an external KMS. The KMS generates and stores the keys, and the vCenter Server obtains keys from an external KMS. The KMS generates and stores the keys, and vCenter Server obtains the key IDs from the KMS and distributes them to the ESXi hosts. vCenter Server does not store the KMS keys, but keeps a list of key IDs.
You can enable encryption by editing the configuration parameters of an existing vSAN cluster.
Benefits Over Self-Encrypting Drives
vSphere VM encryption offers advantages over other methods, such as Self-Encrypting Drives (SEDs). They are disk-based encryption with data encrypted at the storage level using integrated hardware and an individual media encryption key (MEK), which is in turn encrypted with a KEK. KEKs are required for the encryption to work and must be managed individually unless an external key manager is used.
As a KMS client, vCenter Server uses the KMIP interface and makes it easy to use the KMS of your choice. The KMIP standard defines the following states for keys: pre-active, active, deactivated, compromised, destroyed, and destroyed compromised.
Encryption Keys for applications
The ideal key management solution provides high availability, standards-based enterprise encryption key management to a wide range of applications and databases.
Microsoft SQL Server
Data can be encrypted in a SQL Server database. In standard edition, you’ll need to encrypt at the application level. In enterprise edition, SQL Server has Transparent Data Encryption (TDE), Extensible Key Manager (EKM), and Cell Level Encryption (CLE). Townsend Security has an EKM provider. You need two things: A key management solution to protect the critical encryption keys, and an encryption solution for the SQL Server database. And they have to talk to each other. For the first part, the Alliance Key Manager for VMware solution provides a fully functional, enterprise key management solution that protects SQL Server databases as well as other databases and other OSs. For encrypting SQL Server, the Alliance Key Manager solution comes with a full Microsoft SQL Server Extensible Key Management Provider, called the Key Connection for SQL Server. It’s a module that our key management customers receive without paying additional license fees. Key Connection for SQL Server provides the encryption and integration with the key server to provide a complete end-to-end solution for encrypting data in the SQL Server database.
MongoDB offers AES encryption as part of the WiredTiger Storage Engine in the Enterprise edition of their offering. There are two options for storing encryption keys: In the database, in the clear; Or by using KMIP and a key manager. Alliance Key Manager is certified by MongoDB for use with the MongoDB Enterprise database.
Drupal - There is no native encryption in Drupal. Users need to install modules, such as Key, Encrypt, and Townsend Security’s Key Connection For Drupal to encrypt private data in Drupal.
Windows IIS - Encryption needs to be done at the application level. This can be facilitated through the use of the Alliance Key Management Windows .NET SDK.
Software Development Kits (SDKs)
Java, .NET, PHP, Python, Perl, etc. - VMware offers release notes, developer guides, API references, and other documentation for current and past versions of API and SDK sets. Businesses who aren’t able or don’t want to encrypt at the database level have options to encrypt at the application level. Good key management vendors (such as Townsend Security) offer SDKs and sample code to make encryption at the application level easy.
Windows - Alliance Key Manager protects Windows .NET Client software with encryption and key management for applications. You can add the Windows .NET Client Assembly to your Windows projects to encrypt data at the application level.
Linux - Linux applications use a variety of database and storage methods that include MySQL, MongoDB, PostgreSQL, Amazon S3 and RDS, and many others. Like any application deployed on any operating system and storage mechanism, Linux applications need to protect sensitive data at rest using strong encryption.
Encryption Keys for hybrid deployments
Good key management solutions should be able to mirror in hybrid environments, such as VMware to cloud.
As enterprises adopt Public and Private clouds, they bring their sensitive data with them – customer names, email addresses, and other PII. While compliance regulations require protecting this information, encrypting this data has been a challenge for organizations that want the flexibility and security of a native VMware solution. By deploying Alliance Key Manager for VMware as a vCloud instance, customers can achieve their security and efficiency goals in a cloud environment. Alliance Key Manager for VMware will make the migration easy. Alliance Key Manager for AWS secures private information in databases and applications, including MS SQL Server, Oracle databases, and Drupal. It protects data in Amazon RDS, Amazon S3, Amazon EBS, and Amazon DynamoDB. VMware has established partnerships with AWS and vCloud. Further, Alliance Key Manager for VMware can provide key management for applications and also for vSphere and vSAN in the AWS platform.
Web Servers - vSphere
See vSphere discussion below.
VMware delivers intrinsic security by architecting security directly into the networks and public and private cloud workloads on which applications and data live, thereby, shrinking the attack surface for your digital enterprise. To address these problems, organizations need to fundamentally transform the way they secure the application infrastructure. VMware uses a complete portfolio of solutions that enable IT to deploy a virtualized platform, which abstracts their infrastructure from the applications running on top of it — whether that infrastructure is on-premises or in the public cloud. With VMware vSphere and VMware NSX, organizations can take advantage of flexible, robust virtualization platforms to support their new and existing apps — without compromising security and compliance. VMware vRealize Network Insight enhances their capabilities through enterprise-ready cloud management for additional visibility and protection.
Business Benefits of Key Management
Organizations gain significant benefits from keeping their encryption keys protected including, but not limited to, the following:
Reduced Administration of Critical Secrets
Controlling everything from one place is the most simple and efficient way to manage encryption. A centralized and granular key management policy can enable seamless updates for all necessary cryptographic functions without any changes in the application code. Implementing centralized policy enforcement where the system collects all relevant information in a single place for easy audit and in human-readable form makes demonstration of compliance with internal and external policies a straightforward task. Among other benefits, is reduced administration of enterprise IP.
Robust key management with centralized controls lower an organization’s overall security risks by, for example, reducing the risk of human errors and better controls administrators’ access permissions.
Improved Governance, Risk Management, and Compliance
Robust key management allows organizations to improve data security governance by restricting access to cryptographic functions and enforcing policies on functions such as key length, rotation, mode of operation, and more. This helps meet regulations and industry guidelines, measures, and controls.
Challenges in VMware
VM encryption offers several advantages compared to other encryption methods, but it might not be a great fit for every workload. When weighing whether to encrypt or not, you’ll want to consider a few limitations, caveats, and performance issues first.
vSphere Virtual Machine Encryption has some limitations regarding devices and features that it can interoperate with in vSphere 6.5 and later releases. Also, you cannot perform certain tasks on an encrypted VM. Further, VMware tools address only VMware issues.
Costs and Licensing
Investing in VMware and licensing is a significant investment and may be cost-prohibitive for many organizations.
VMware is complex and requires either experienced internal employees or potentially expensive outsourced services to manage and operate.
There is some application incompatibility that needs to be acknowledged by each organization.
VMware’s SDKs may not cover every need of every enterprise.
Generally, the considerations for sourcing encryption key management solutions for VMware will be similar to any relationship you develop with a vendor. The limited number of vendors in this space can limit the choices you have, but there are good solutions to choose from.
Vendors take a variety of approaches to licensing their key management solution. The main difference is in licensing constraints on the VMware side. You may start your first VMware encryption project with a rather limited scope. But as you continue to encrypt more sensitive data you may need to scale. Some encryption key management vendors license software based on the number of VMware instances that you place under protection. Others provide unlimited numbers of client-side licenses after you acquire the key manager. Be sure you understand the licensing terms of each solution you evaluate, and be sure to understand your long-term needs.
Documentation on your VMware implementation will be crucial for long-term success. In addition to documentation on the installation and configuration, be sure your vendor provides documentation on key rotation, applying patches to the key manager, upgrading the key manager to new versions, and problem determination. All of these aspects should be covered in vendor documentation.
While key management solutions have become much simpler over time, you should still expect to receive some operational and technical training from your encryption and key management vendor. Gone are the days when this meant a lot of on-site educational expense. Modern encryption and key management solutions may require only a few hours of coaching and training to deploy and maintain. Be sure your encryption and key management vendor has a program to deliver training in a timely fashion.
Many businesses have devalued their customer support experience, which can be a problem for all key manager users. When you have a problem with encryption or key management, it’s likely to affect your application service levels. Before acquiring your key management solution be sure to schedule time with the customer support group. Do they have a formal problem tracking system? Do you have access to all problem tickets you raise? Does the customer support group respond in a timely fashion? Is there a 24/7 response number? All of the normal customer support questions you might ask are relevant to a VMware key management solution. We all know what really bad customer support looks like, so be sure there is a good team standing behind the solution you deploy.
The modern enterprise is often geographically distributed, which can make deployment and training difficult. While VMware encryption key management solutions can be simple to deploy and configure, you may want to be sure your vendor can send staff on-site for support.
VMware virtualization has been a game-changing technology for IT, providing efficiencies and capabilities that have previously been impossible for organizations constrained within traditional IT data center worlds. With VMware, organizations are able to reduce hardware costs, lower operational cost, and gain a clear a path to move to the cloud. With the addition of encryption, you can deploy secure environments where there is less risk of data loss in the event of a breach.
The Alliance Key Manager client-side applications, software libraries, and SDKs fully integrate with Alliance Key Manager for key protection, and work naturally with your SQL Server, MongoDB, Windows, and Linux VMware VMs. The solution offers unparalleled security, flexibility, and affordability for all users of VMware Enterprise database. With no client-side software to install, customers can deploy Alliance Key Manager and install the PKI certificates on the database server to easily begin retrieving encryption keys.
By deploying as a virtualized encryption key manager, enterprises are able to reduce hardware costs, lower operational costs, minimize the IT footprint, and a clear path for a future move to the cloud. Using the same FIPS 140-2 compliant technology that is in our HSM and in use by over 3,000 customers, Townsend Security’s Alliance Key Manager for VMware brings a proven and mature encryption key management solution to VMware environments with a lower total cost of ownership.
The solution is available as a HSM, VMware instance, and in the cloud (Amazon Web Services, Microsoft Azure, and VMware vCloud), allowing organizations to meet compliance requirements (PCI DSS, HIPAA, GDPR, etc.) and security best practices. Townsend Security offers a 30-day, fully-functional evaluation of Alliance Key Manager.
Supported Versions of VMware
Alliance Key Manager for VMware supports VMware ESX, VMware vSphere (ESXi), vSAN, and vCloud.
VMware Technology Partner
Townsend Security is an Advanced tier VMware Technology Alliance Elite Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status, and vSphere and vSAN certification. This designation indicates that after a detailed validation process Alliance Key Manager for VMware has achieved VMware’s highest level of endorsement.
Alliance Key Manager
“A very cost effective solution in terms of performance, manageability, security, and availability. As a result, my company was quickly able to implement full database encryption leveraging the AKM as our key management solution in weeks. Comparable solutions could have taken months.”
The solution offers unparalleled security, flexibility and affordability for all users of VMware. With no client-side software to install, customers can deploy Alliance Key Manager and install the PKI certificates on the database server to easily begin retrieving encryption keys.
Alliance Key Manager is FIPS 140-2 compliant and in use by over 3,000 organizations worldwide. The solution is available as a hardware security module (HSM), VMware instance, and in the cloud (Amazon Web Services, Microsoft Azure, and VMware vCloud). Townsend Security offers a 30-day, fully-functional evaluation of Alliance Key Manager.