What is VMware Encryption?
VMware vSphere encryption was first introduced in vSphere 6.5 and vSAN 6.6; enabling encryption both in virtual machines (VMs) and disk storage. It only requires the vCenter vSphere Server, a third-party Key Management Server (KMS), and ESXi hosts to work. It is standards based, KMIP compatible, and easy-to-deploy.
|Click here to view this eBook offline|
Introduction: VMware Encryption for Data-at-Rest
The VMware story began in 1998 when five forward-thinking technologists launched an innovative virtualized computing solution. Shortly thereafter, it was the first commercially successful company to virtualize x86 architecture. Today VMware is a top-tier cloud computing and virtualization provider, and a popular solution for organizations moving to the cloud. VMware’s desktop software runs on Microsoft Windows, Linux, and MacOS, while its enterprise software hypervisor for servers, VMware ESXi, is a bare-metal hypervisor that runs directly on server hardware without needing an additional underlying OS.
In our increasingly insecure cyber world, VMware understands the critical nature of robust security solutions, including encryption capabilities. We need strong encryption and key management solutions that run natively in our virtual environments and meet compliance regulations.
To provide insight on how to best deploy encryption and encryption key management in VMware, this comprehensive guide will provide an overview of the powerful encryption capabilities for both VMs and vSAN and how to easily deploy them. From there, we will look at best practices, compliance regulations, infrastructure considerations, and much more.
If you’d like to first learn the fundamentals of encryption and key management before diving in, please view The Definitive Guide to Encryption Key Management Fundamentals.
How to Deploy vSphere VM Encryption
With vSphere 6.5 and above, you can now encrypt your VMs to help protect sensitive data-at-rest and to meet compliance regulations. vSphere encryption allows you to encrypt existing virtual machines as well as encrypt new VMs right out of the box.
Additionally, vSphere VM encryption not only protects your virtual machine but can also encrypt your other associated files. So, how does vSphere encryption work?
- First, install and configure your KMIP compliant key management server (KMS), such as our Alliance Key Manager, and register it to the vSphere KMS Cluster.
- Next, you must set up the KMS cluster.
- When you add a KMS cluster, vCenter will prompt you to make it the default. vCenter will provision the encryption keys from the cluster you designate as the default.
- Then, when encrypting, the ESXi host generates internal DEKs to encrypt the VMs, files, and disks.
- The vCenter Server then requests a key from Alliance Key Manager. This key is used as the KEK.
- ESXi then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk along with the KEK ID.
- The KEK is safely stored in Alliance Key Manager. ESXi never stores the KEK on disk. Instead, vCenter Server stores the KEK ID for future reference. This way, your encrypted data stays safe even if you lose a backup or a hacker accesses your VMware environment.
vSphere VM Encryption Best Practices
VMs are a powerful tool that helps you realize greater IT efficiencies, reduced operating costs, and achieve unmatched flexibility. Because of this, organizations typically have mission-critical information in VMs. This means that getting encryption right the first time is paramount.
As you begin your VM encryption project, keep these in mind to avoid some of the more common pitfalls:
- Do not encrypt any vCenter Server Appliance VMs. These are vital to the functioning of VMware and should never be encrypted.
- Do not edit either VMX files or VMDK descriptor files as they contain the encryption bundle. Your changes may make the VM unrecoverable.
- Always designate a high availability failover key manager in your KMS cluster. If your primary key server goes down with no failover key server in place, your encrypted VMs will be unable to be decrypted.
- Once you name your key management server (KMS) cluster, do not rename it. If you change the name of the KMS cluster (one that is in use), the ESXi host will be unable to find the KMS and a VM that is encrypted with a key encryption key (KEK) from that KMS will be unable to be decrypted.
- Once you encrypt a virtual machine, you cannot relocate the VM to a host that does not have the key ID information. Only a ESXi host with the key ID information for that VM can properly locate the encryption key for decryption.
Deploying vSAN Encryption
vSAN encryption is easy to enable and use. This means that securing your sensitive data with AES encryption is not a time-intensive task. To prove the point, here is a quick guide to getting encryption up and running for your vSAN clusters:
- First, install and configure your key management server (such as our Alliance Key Manager) and add its network address and port information to the vCenter KMS Cluster.
- Then, you will need to set up a domain of trust between vCenter Server, your KMS, and your vSAN host.
- You will do this by exchanging administrative certificates between your KMS and vCenter Server to establish trust.
- Then, vCenter Server will pass the KMS connection data to the vSAN host.
- From there, the vSAN host will only request keys from that trusted KMS.
- The ESXi host generates internal keys to encrypt each disk, generating a new key for each disk. These are known as the data encryption keys, or DEKs.
- The vCenter Server then requests a key from the KMS. This key is used by the ESXi host as the key encryption key, or KEK.
- The ESXi host then uses the KEK to encrypt the DEK and only the encrypted DEK is stored locally on the disk.
- The KEK is safely stored separately from the data and DEK in the KMS.
- Additionally, the KMS also creates a host encryption key, or HEK, for encrypting core dumps. The HEK is managed within the KMS to ensure you can secure the core dump and manage who can access the data.
That’s it! VMware has made encrypting your data in vSAN both simple and secure.
vSAN Encryption Best Practices
vSAN is powerful hyper-converged infrastructure that offers you greater performance and high scalability. vSAN encryption is easy to deploy but does have a few considerations in order to avoid issues down the road. Before you begin your vSAN encryption project, consider these VMware best practices:
- Do not deploy your KMS server on the same vSAN datastore that you are encrypting. This will encrypt your key managers and in some cases render them useless in recovery scenarios.
- Do not attempt to encrypt your witness host as they do not contain any sensitive data. They only contain metadata concerning other vSAN clusters and do not need to be encrypted.
- Encryption can be CPU intensive. For vSAN encryption, make sure AES-NI is enabled. It can significantly improve encryption performance.
- You should ensure that your Core dumps are encrypted. They can contain sensitive information such as encryption keys.
- When you decrypt a core dump, you should handle it as if it contains sensitive information. Core dumps may contain encryption keys either for the vSAN host and/or the data on it.
VMware Encryption—A Unified Strategy for All Your Databases/ Applications
VMware encryption allows organizations to uniformly manage their encryption for both VMs and vSAN and ensure that all sensitive data within VMware is secured; enabling them to create a unified encryption strategy for their sensitive data. Let’s look at some of the main advantages that VMware encryption provides:
- Encryption is configured and managed at the hypervisor level, not within an individual VM or vSAN cluster.
- vSphere encryption is agnostic in regards to what is stored.
- There are not multiple encryption products for each guest OS, database, or application.
- Encryption is policy based. Applying it, then, can be done to as many or few VMs or vSAN clusters that you want.
- You can bring your prefered key manager to manage your encryption keys. Since vSphere encryption is KMIP 1.1 compatible, you are free to use a FIPS 140-2 compliant encryption key manager, like Alliance Key Manager.
This is also good news if you have databases that do not have easy-to-deploy encryption or their encryption involves a costly upgrade. With VMware, transparent data encryption comes standard and ready-to-use. If you have sensitive data, VMware has an easy, secure, and standards based way to encrypt it.
That being said, your data doesn’t just live in one environment. When choosing which third-party encryption key management vendor to protect your VMware encryption, you should also think about your sensitive data everywhere. The ideal key management solution provides high availability, standards-based enterprise encryption key management to a wide range of applications and databases.
Microsoft SQL Server
In Standard edition before 2019, you’ll need to encrypt at the application level or with a third-party encryption solution. In Enterprise edition starting in 2008 and in Standard edition 2019, SQL Server has Transparent Data Encryption (TDE), Cell Level Encryption (CLE), and Extensible Key Manager (EKM). EKM enables SQL Server to utilize EKM providers offered by third-party encryption key management vendors. Townsend Security has an EKM provider.
You need three things to properly protect sensitive data: A key management solution to protect the critical encryption keys, an encryption solution for the SQL Server database, and they have to talk to each other. For the first part, the Alliance Key Manager for VMware solution provides a fully functional, enterprise key management solution that protects SQL Server databases. For encrypting SQL Server, the Alliance Key Manager solution comes with a full Microsoft SQL Server Extensible Key Management Provider, called Key Connection for SQL Server.
MongoDB offers AES encryption as part of the WiredTiger Storage Engine in the Enterprise edition of their offering. There are two options for storing encryption keys: In the database, in the clear; Or by using KMIP and a key manager (MongoDB strongly recommends the use of a key management solution). Alliance Key Manager is certified by MongoDB for use with the MongoDB Enterprise database to protect data-at-rest.
MySQL Enterprise provides encryption support directly in the database engine using industry standard 256-bit AES encryption. It allows MySQL Enterprise customers to meet a wide variety of compliance regulations including PCI DSS, GDPR, CCPA, HIPAA, FISMA, and many others. For encryption key management MySQL recommends the use of an external encryption key management solution like Alliance Key Manager, and uses the industry standard Key Management Interoperability Protocol (KMIP) to access encryption keys.
Drupal - There is no native encryption in Drupal. Users need to install modules, such as Key, Encrypt, and Townsend Security’s Key Connection For Drupal to encrypt private data in Drupal.
WordPress - As with Drupal, WordPress does not come with native encryption. But, there are plugins that not only provided 256 bit AES encryption but the means to utilize external encryption key management.
Windows IIS - Encryption needs to be done at the application level. This can be facilitated through the use of the Alliance Key Management Windows .NET SDK.
Software Development Kits (SDKs)
Java, .NET, PHP, Python, Perl, etc. - VMware offers release notes, developer guides, API references, and other documentation for current and past versions of API and SDK sets. Businesses who aren’t able or don’t want to encrypt at the database level have options to encrypt at the application level. Good key management vendors (such as Townsend Security) offer SDKs and sample code to make encryption at the application level easy.
Windows - Alliance Key Manager protects Windows .NET Client software with encryption and key management for applications. You can add the Townsend Security Windows .NET Client Assembly to your Windows projects to encrypt data at the application level.
Linux - Linux applications use a variety of database and storage methods that include MySQL, MongoDB, PostgreSQL, Amazon S3 and RDS, and many others. Like any application deployed on any operating system and storage mechanism, Linux applications need to protect sensitive data at rest using strong encryption.
Components of a VMware Encryption Strategy
The most effective way to secure data and ensure a company’s integrity is to deploy encryption. For any encryption deployment, there are two major components:
- Encryption of the sensitive data, usually in a Windows or Linux VM
- Protection of the encryption keys through robust key management solutions
An effective strategy in the VMware environment has to address both of these components.
vSphere VM and vSAN encryption enables creation of encrypted VMs or virtual disk storage and can encrypt existing VMs, along with virtual disks, and host core dump files. Because all files that contain sensitive information are encrypted, the entire VM or virtual disk is protected. Only administrators with encryption privileges can perform encryption and decryption tasks. Some files associated with a VM or virtual disk are not encrypted or are partially encrypted, because they don’t contain sensitive information, including log, VM configuration, and virtual disk descriptor files.
Three major components are used for encryption in VMware: a Key Management Server, a VMware vCenter Server®, and ESXi Hosts.
Key Management Server (KMS)
|Click here to view this eBook offline|
Encryption key management is the method used to protect and manage your encryption keys. The vCenter Server instance requests keys from an external KMS. The KMS generates and stores key encryption keys (KEKs) and passes them to the vCenter Server instance for distribution. As a Key Management Interoperability Protocol (KMIP) client, the vCenter Server system uses that protocol to facilitate use of the chosen KMS.
VMware vCenter Server®
The vCenter Server instance obtains keys from the KMS and transfers them to the ESXi hosts. It does not store or persist the KMS keys, but keeps a list of key IDs. The vCenter Server system checks the privileges of users who perform cryptographic operations. VMware vSphere Web Client assigns cryptographic operation privileges and limits the users who can perform these operations. The vCenter Server system adds cryptography events to the list of events that can be viewed and exported from the vSphere Web Client event console. Each event includes the user, time, key ID, and cryptographic operation.
The ESXi host is responsible for several aspects of the encryption workflow:
- Performs the encryption of VMs or virtual disks
- Ensures that guest data for encrypted VMs is not sent over the network without encryption
Encryption is performed by industry-standard OpenSSL libraries and algorithms. VM encryption does not impose any new hardware requirements, but uses a processor that supports the AES-NI instruction set to accelerate encryption and decryption operations.
Deploying Key Management in VMware
- Identify and document trusted and un-trusted applications. Properly identifying application groups based on the level of trust is critical for a secure implementation of virtualized applications and encryption key management services.
- Restrict physical access. Fundamental to all IT security implementations is proper security of the physical environment. This means proper physical security controls and data center monitoring, as well as robust auditing and procedural controls. These physical controls should also apply to VMware management and security applications access.
- Isolate security functions. Because security applications are often a target of cyber-criminals, you should isolate them into their own security workgroup and implement the highest level of VMware security. Only trusted VMware administrators should have access rights to the encryption key management solution, system logs, and audit reports. Actively monitor access to and use of all encryption key management, key retrieval, and encryption services.
- Change VMware default passwords. Review all VMware applications used to secure and manage your VMware environment and change the default passwords as recommended by VMware. Failure to change default passwords is one of the most common causes of security breaches.
- Implement network segmentation. You should implement network segmentation to isolate applications that process sensitive information from applications that do not require as high a level of trust. Additionally, you should provide network segmentation for all third-party security applications, such as your encryption and key management solution. Network segmentation is easy to accomplish with VMware network management and security applications. Do not rely on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.
- Implement defense in-depth. VMware management and security applications provide for a high level of security and monitoring. They also include hooks and integration with third-party security applications that provide system log collection, active monitoring, intrusion detection, etc.
- Monitor VMware admin activity. Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security workgroup that contains other third-party security applications, such as Townsend Security’s Alliance Key Manager.
Why NIST Standards and AES Encryption Are Vital
When evaluating both your encryption and key management solutions, it’s important to look for certain certifications and validations.
One of these is from National Institute of Standards and Technology (NIST): NIST FIPS-197 which validates AES encryption. Why is verifying that your data is secured with AES encryption important? AES encryption uses a single, randomly generated key as a part of the encryption/decryption process and goes through up to 14 steps to encrypt the plaintext. This means that the only way to feasibly attack AES encryption is to guess or steal the encryption key. Given that the fastest computer would take billions of years to run through every permutation of a 256-bit AES key, the only reasonable way to break AES encryption is to steal the key.
That is why VMware also requires that you manage encryption keys according to NIST guidelines:
Encryption Key Management
FIPS 140-2 certification ensures that the key management software has been tested by third parties to meet the highest standards in key management technology, so you can establish strong key management. VMware OpenSSL FIPS Object Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-2, which details the U.S. and Canadian Government requirements for cryptographic modules. For VMware customers, FIPS 140-2 compliant encryption and key management are a key defense for data security.
Recognizing that each organization must take responsibility for its data no matter where it resides, the NIST standard calls for continuous monitoring of key management. This requires organizations to continuously monitor their environments to ensure their infrastructure, applications, and data remain in a secure state. VMware’s security functionality supports continuous monitoring.
The NIST standard calls for auditing to bring transparency to security operations. Your key management solution needs to support active collection and monitoring of audit and OS logs. The logs should integrate with your log collection and SIEM active monitoring systems. Built-in logging allows administrators to track all key retrieval, key management, and systems activity. In VMware, reports can be sent automatically to a central log management database or SIEM products for a timely and permanent record of activity. A KMS should audit all administrative and user functions, including both successful and failed operations, for security-relevant events. This includes detecting and recording the events, date and time of the events, and the identity or role of the entity initiating the events.
Getting VMware Encryption Key Management Right
Once data is encrypted, your private information depends on enterprise-level key management to keep that data safe. Without key management, encryption stands alone as only half of a solution. Encryption key management involves administering the full lifecycle of cryptographic keys and protecting them from loss or misuse. Protection of the encryption keys includes limiting access to the keys physically, logically, and through user/role access.
Encryption Key Lifecycle
A critical administrative component to encryption key management is the ability to manage the complete encryption key lifecycle. NIST defines all stages of a key’s lifecyle, including key generation, pre-activation, activation, distribution, revocation, post-activation, backup, escrow, and deletion. Through an administrative console, security administrators should be able to implement controls that allow access to keys by designating key users or user groups. They should also be able to set automatic key rotation policies, so that keys are retired and rolled over after any period of time. These controls help organizations meet data security requirements for some regulated industries. For example, the PCI DSS outlines key management requirements for cardholders or processors that can typically only be met using an enterprise-level encryption key management solution.
Beyond managing the key lifecycle, an enterprise key manager should actively audit and log all activity and functions performed on the key management server, and record these logs to an external event monitoring or logging server so that malicious activity can be detected in real time. Your key management solution should be compatible with common event-monitoring solutions and export logs in standardized formats in real-time. Also, your key management solution should also inherently enforce policy-based security functions that meet key management best practices such as separation of duties and dual control.
Separation of Duties
Separation of duties ensures that no single person controls multiple key management procedures and subsequent distribution of an encryption key. The person requesting the key and the person managing the key should be two different people. Dual control prevents any single person from controlling a key management process. For example, two security administrators should be required to authenticate access to the key server. While these policy-based controls are sometimes optional, they should always be available and easy to implement in your encryption key management solution.
Best Practices for Key Protection
There are several key management best practices that will ensure optimal key management performance and enforcement. On a technological and physical level, encryption keys should be stored in a logically or physically separate hardware or virtual key server, dedicated to performing only key management activities. The key manager should house a FIPS 140-2 validated pseudo-random number generator to create new keys and store those keys in a secure key database. Once generated and in use, encryption keys should be distributed for use over a secure Transport Layer Security (TLS) session using certificates to authenticate the user requesting the encryption key.
Also, enterprise key managers should perform real-time backup and high availability functions to prevent downtime and ensure business continuity. To accomplish this, each key server should perform active-active mirroring to one or more high availability servers as well as perform routine, automated backups to secure storage drives.
Additional Key Management Standards and Validation
VMware allows users to manage encryption keys using a third-party key management vendor through a standard key management protocol called KMIP. All of VMware’s KMS Certification tests contained in KMS plug-ins verify that the vendor’s KMIP KMS works with vSphere storage encryption feature and vSAN virtual disk. Testing consists of verifying the correct behavior of a KMS, ensuring that it does not introduce undesirable impacts on the operation of the system. VMware supports two types of KMIP:
- Switch-Based Encryption — With this method, the data leaves the host and travels in the clear until it reaches a switch, which then performs the encryption before sending the data on to the storage array. The switch might be a Fibre Channel switch or, in the case of NFS, a network switch. The switch typically also integrates with an external, KMIP-compliant key manager.
- Array-Based Encryption — With array-based encryption, the controller in a storage array encrypts the data as it is written to the disks. Encryption can be performed via custom application-specific integrated circuits (ASICs) in hardware or software. In both cases, key management can be achieved via an onboard key manager or through the use of an external KMIP-compliant key manager.
Payment Card Industry Data Security Standard (PCI DSS)
VMware meets the standards of the PCI DSS, which was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. For VMware users who need to meet compliance, Alliance Key Manager has been validated for PCI DSS in VMware by Coalfire, a PCI-qualified QSA assessor and independent IT and audit firm. Additionally, Alliance Key Manager for VMware can also help businesses meet other compliance regulations such as CCPA, HIPAA, GLBA/FFIEC, FISMA, etc.
Compliance Regulations and VMware
For many businesses, storing or processing credit card numbers, financial information, healthcare data, and other personally identifiable information (PII) in a virtual, shared environment is the norm. The challenge is meeting data security requirements and preventing unwanted access to sensitive data. The lack of compliance and failure to implement and execute a well-planned security strategy may lead to a breach in security resulting in data spillage, data compromise, loss of data integrity, loss of customer trust, legal actions, revenue loss, and even loss of business.
Industry and regulatory compliance standards help protect computing assets from multiple security vulnerabilities and misconfigurations, and minimize the risk in execution environments, such as development, test, and production.
With VMware, organizations that want to protect sensitive data can use encryption and key management to secure data, comply with industry security standards, protect against data loss, and help prevent data breaches. When considering encryption options, organizations must consider both governmental and private compliance regulations that require them to protect sensitive information. Most regulations require proper protection of PII. For example, the European Union General Data Protection Regulation (GDPR) imposes multiple demands upon global companies to protect the personal data of all European Union (EU) residents. The Payment Card Industry Data Security Standards (PCI DSS) requires that credit card numbers be encrypted in storage. The Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Acts (HIPAA/HITECH) require protection of Electronic Protected Health Information (ePHI). And the California Consumer Privacy Act (CCPA) safeguards PII that is gathered on persons while in the state of California.
These are just three of the many compliance regulations that today’s organizations must consider in their cybersecurity programs to ensure that they are in continual compliance with all of the relevant regulations as they change and expand.
VMware and GDPR
In response to escalating external and internal threats and uncertainty, lawmakers and regulators around the world have been strengthening their data security compliance requirements, implementing new legal frameworks and levying higher noncompliance penalties. This places organizations at tremendous risk for compliance violations, along with the resulting fines and remediation costs. On May 25th, 2018, the European Union made securing citizens’ data an even bigger challenge for companies doing business that involves handling their citizens’ data. That was launch day for the new European Union General Data Protection Regulation (GDPR),
The GDPR attempts to unify data protection laws in Europe and ensure that citizens’ rights and protections have a global impact. One area of concern for EU countries, among many, is the fact that U.S.-based cloud vendors can be subpoenaed by U.S. governments to provide access to specific information, even if it resides outside of the U.S. With this regulation, every organization will be forced to comply or face penalties, including damaging fines and even losing the opportunity to work within the EU. Specifically, the GDPR’s “right to be forgotten” rule provides individuals with specific rights to control the processing of their personal data and sets a new standard for protection of an individual’s personal data. Among the EU regulations is the rule that all customer and employee data must not be accessible to anyone outside of their home legal jurisdiction, except when given explicit consent on a per usage basis.
VMware Cloud on AWS, as an example, has been independently verified by Schellman & Company, LLC, to comply with the GDPR. In the language of the GDPR, when providing services to its customers via the VMware Cloud on AWS service offering, VMware is acting as a “data processor.” VMware’s customers may perform customer-defined data processing activities in relation to their own data within the services and, in doing so, act as “data controllers.” Data controllers may only appoint data processors who provide sufficient guarantees to implement appropriate technical and organizational measures to ensure processing meets GDPR’s requirements. GDPR also requires resilient and recoverable architectures to prevent unavailability of data. To support this directive, key managers should implement HA services to ensure high availability.
Encryption and key management can help meet GDPR’s privacy requirements, as well as citizens’ right of erasure (right to be forgotten). While the EU does not mandate that all organizations encrypt sensitive data, there is an exclusion for subject data breach notification and financial penalties for those organizations that use encryption and other security methods to protect the data. Thanks to VMware’s wide-ranging focus on security, implementing encryption and key management tools will help users meet requirements for GDPR.
VMware and PCI DSS
With all of the security breaches in the news and the occurrence of these incidents becoming more widespread, how can you ensure that your customers’ credit card information remains secure? This is the purpose of Payment Card Industry Data Security Standard (PCI DSS), which impacts all merchants who accept credit cards. PCI DSS requires merchants to protect sensitive cardholder information from loss, and use good security practices to detect and protect against security breaches. PCI DSS is applicable to all types of environments that store, process, or transmit cardholder data. This includes information such as Primary Account Numbers (PAN), as well as any other information that has been defined as cardholder data by PCI DSS. PCI DSS Section 3 outlines requirements for encryption and encryption key management protocols.
Even with this mandatory requirement, a vast majority of organizations still struggle to maintain PCI compliance, and the process is costing companies a great deal both to address the root cause of PCI audit failures and in, often severe, non-compliance fees. By proactively assessing their weakness around PCI compliance, and installing the cybersecurity solutions that can mitigate data breaches, companies will ensure their own data security and, therefore, compliance.
For these reasons, VMware offers a wide range of cybersecurity services and documentation to support and help organizations secure their data. For example, VMware has enlisted its Audit Partners, such as Coalfire, a PCI DSS-approved Qualified Security Assessor, to engage in a programmatic approach to evaluate VMware products and solutions for PCI DSS control capabilities, and then to document these capabilities in a set of reference architecture documents.
VMware also provides customers with access to vRealize Air Compliance, which assesses VMware vSphere-based virtualized environments according to specific compliance standards and risk profiles. Some of the available standards and profiles include multiple versions of the VMware vSphere Hardening Guide, PCI DSS 3.2, and HIPAA technical safeguards. Users can continuously assess their vCenter Server instances, ESXi hosts, VMs, and distributed port groups to ensure that they comply with the technical controls defined in the industry standards.
From a high level, the VMware software-defined data center (SDDC) provides software-defined infrastructures, software-defined networking, and management and security technologies capable of supporting, adhering to, and/or addressing control objectives relevant to PCI DSS to enable platform support of cardholder data environments (CDE). VMware EUC provides secure delivery mechanisms for any application, to any device, anywhere. Further, VMware’s vast network of partners provides added value with technologies capable of being inserted seamlessly and holistically to address additional requirements and enhance security.
VMware and HIPAA
The Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH) outlines data security regulations for the healthcare industry. While the HIPAA/HITECH does not specifically require encryption of sensitive data, a backdoor “safe harbor” mandate states that if a healthcare organization or one of its Business Associates (BA) does experience a data breach, and Protected Health Information (PHI) is not obscured using encryption or some other method, then that organization will be heavily penalized.
This is especially important when the outcomes for noncompliance are extremely critical due to civil and criminal penalties imposed by the Office for Civil Rights (OCR) Department of Health and Human Services (HHS), and the U.S. Department of Justice (DOJ). What’s more, there is a high probability for collateral impact due to failure to protect patient privacy, institutional trust, and economics. In extreme cases of breach or data loss, the fines and penalties are minor compared to the potential for litigation, recompense, and public relations improvements.
Compliance with the HIPAA Security Rules and HIPAA Privacy Rules for Electronic Protected Health Information (ePHI) requires the use of many security technologies and best practices to demonstrate strong efforts towards complying with this federal regulation. The ability to effectively secure ePHI and audit IT and security operations may involve both strong encryption and real-time and historical activity logs that relate to many systems.
VMware recognizes the following as critical areas that must be addressed by each covered entity and BA in the operation of healthcare information systems: security and compliance, the criticality and vulnerability of the assets needed to manage ePHI infrastructures, and the risks to which they are exposed. This approach provides management, IT architects, administrators, and auditors with high degrees of transparency into risks, solutions, and mitigation strategies for moving critical applications to the cloud in secure and compliant ways. By standardizing an approach to compliance and expanding the approach to include partners, VMware provides its customers a proven solution that more fully addresses their compliance needs.
Organizations can reduce the complexity and cost of HIPAA Security Rule compliance by replacing traditional non-integrated products with integrated solutions. To further address this gap, VMware, together with the VMware partner ecosystem delivers compliance-oriented integrated solutions, enabling compliance by automating the deployment, provisioning, and operation of regulated environments. In this way, VMware provides the solution reference architecture, HIPAA Security Rule specific guidance, and software solutions that businesses require to achieve continuous compliance, along with speed, efficiency, and agility for their applications.
California Consumer Privacy Act (CCPA)
Do I need to comply? If you collect data on people who are in California, and meet the minimum criteria (see below), and are not explicitly excluded, you must meet the requirements of the new law. Notice, this does not just apply to “California citizens”, but people who are in the state at the time of data collection. You are not exempt if your organization resides outside of California. If you collect data on people in California, assume you are covered by the law.
If you meet any of these criteria, you are required to meet the new CCPA law:
- You have $25 Million or more in annual revenue
- You collect information on 50,000 or more people
- You derive 50 percent or more of your revenue selling personal information to third parties
The law applies to both public and private organizations. There are some exclusions in the law: If your organization is already covered by equivalent privacy regulations such as HIPAA, GLBA, and others, you may be exempt. Don’t be fooled into a sense of complacency about this. The CCPA has privacy regulations that are not covered under those laws. If you think you are exempt, get legal advice on this point.
What information does it cover? The personal information covered by the CCPA is quite broad and extends into areas not covered under GDPR and other regulations. The current definition of sensitive consumer data includes:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Personal and commercial behaviors, and inferences from them.
- Characteristics of protected classifications under California or federal law
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- Geolocation data
- Professional or employment-related information
- Education information
Am I required to encrypt sensitive data? If you want to avoid the risk of direct or class action litigation related to data loss you should encrypt the sensitive data. Individual and class action litigation only applies to unencrypted sensitive data that is disclosed or lost. The CCPA is clear on the need for encryption. If you lose unencrypted sensitive data this is direct evidence that you violated your duty to provide reasonable security procedures and practices to protect the sensitive information. See section 1798.150(a)(1).
Security Beyond Compliance
Along with regulatory compliance, there are many other reasons to optimize data security in VMware—including intellectual property and reputation protection.
Intellectual Property (IP)
Whether it's the plans for a new product, proprietary schematics for an existing product, or information that exposes your business processes, your business has a lot of IP information you want kept secret. Most companies place a priority on protecting PII, PHI, or CHD. But there is a lot of other information that could hurt, even cripple your company, should it get out. In fact, Deloitte estimates that IP data can constitute more than 80 percent of an enterprise company’s value.
That is why encryption should be thought of as a company wide initiative. Below is a short (and certainly not exhaustive) list of items that your company should be encrypting:
- Product/Solution Documents: If you rely on proprietary information to give you a competitive advantage in the marketplace, you need to encrypt any information that would give your competition a window into how your products or solutions work.
- Research and Development (R&D) Data: In the same vein, any R&D you are conducting is your advantage in tomorrow's competitive landscape. Don't let it be stolen from you because you did not properly secure it.
- Financial Reports: Most companies would love to spy on their competitors financial statements. Encrypt anything that could give you current financial position away.
- Legal Documentation: There is a lot of documentation, that if made public, could tarnish a company's reputation. You and your company need full confidence that what happens in the boardroom or HR office stays there.
A study sponsored by VMware and conducted by The Economist Intelligence Unit (EIU) found that reputational risk was C-suite executives’ greatest cybersecurity concern. A company or organization’s brand is the most valuable asset, because it touches all aspects of the enterprise, including growth and revenue. Further, the negative perception extends to a company’s products and services. Cyber attacks are also damaging to a company’s reputation, because it is not contained to the company itself — attacks also expose customers to the risk of identity theft or financial losses. Brand reputation is a fragile asset that, when compromised, is not easy to fix. It can take decades to build your reputation and consumer trust.
Critical Infrastructure for Encryption and Key Management
With Alliance Key Manager, we have done a lot to help companies deal with the concern about resilience of a key manager, because it is critical infrastructure including the following:
Hardware and Software Resilience
If you are properly protecting keys, an encryption key management solution becomes a part of your critical infrastructure. But if your key manager goes down, your applications stop functioning until you have key management back up. Alliance Key Manager addresses those concerns in a number of ways. One way is that the key manager is built for redundancy. We know that hardware can fail, so we implement a hardware platform that is resilient and has a lot of redundancy built in. As such, the first layer of keeping an encryption key manager up and running consistently is to have a good hardware platform or run in the cloud.
Backup and Recovery, High Availability, and Mirroring
Real-time mirroring of keys and policy around keys is critical for high availability and recovery. It is important for key management servers to mirror keys between multiple key managers over a secure and mutually authenticated TLS connection for hot backup and disaster recovery support. Organizations can choose to mirror key managers on-premises, in the cloud, or a hybrid of the two. If you have a failed server, a hardware problem, or network outage, you should be able to define fail-over servers and that will take place in real time.
Alliance Key Manager fully supports resilience through real-time mirroring. It is not an operating OS feature. The key server itself has implemented this mirroring capability. It is itself self-healing. So if two key servers are mirroring to each other and the network goes down, they will queue up those mirroring transactions, and when the network comes back, it will re-commit those changes. Alliance Key Manager is a robust facility for making sure you have good backups of your encryption keys.
Active monitoring is one of the core security recommendations to help prevent unauthorized access to sensitive systems and information. It is a requirement of a wide variety of compliance regulations such as PCI-DSS, HIPAA/HITECH Act, and many others. From a security perspective, active monitoring makes it into the SANS Top 20 list of things you should do, and is a key recommendation from the US Cyber Security teams.
VMware Key Management Server (KMS) Vendor Considerations
Generally, the considerations for sourcing encryption key management solutions for VMware will be similar to any relationship you develop with a vendor. The limited number of vendors in this space can limit the choices you have, but there are good solutions to choose from.
Vendors take a variety of approaches to licensing their key management solution. The main difference is in licensing constraints on the VMware side. You may start your first VMware encryption project with a rather limited scope. But as you continue to encrypt more sensitive data you may need to scale. Some encryption key management vendors license software based on the number of VMware instances that you place under protection. Others provide unlimited numbers of client-side licenses after you acquire the key manager. Be sure you understand the licensing terms of each solution you evaluate, and be sure to understand your long-term needs.
You should not need to license every end point that connects to the key server. The cost and complexity of licensing all endpoints is unnecessary and can be a huge barrier to getting data protection up and running quickly across the organization. Some vendors charge as much as $15,000 or more per connection. These hidden costs quickly add up and make a once-thought-of cost-effective solution an exorbitant expenditure within their environment. You should look for a key management solution that never:
- charges you fees for connecting a new end-point
- limits the number of end-points based on the model of the key manager
- limits the number of encryption keys generated or stored
- forces you to pay extra fees for software patches
- forces you to pay extra fees for routine software upgrades
Documentation on your VMware implementation will be crucial for long-term success. In addition to documentation on the installation and configuration, be sure your vendor provides documentation on key rotation, applying patches to the key manager, upgrading the key manager to new versions, and problem determination. All of these aspects should be covered in vendor documentation.
While key management solutions have become much simpler over time, you should still expect to receive some operational and technical training from your encryption and key management vendor. Gone are the days when this meant a lot of on-site educational expense. Modern encryption and key management solutions may require only a short period of coaching and training to deploy and maintain. Be sure your encryption and key management vendor has a program to deliver training in a timely fashion.
Many businesses have devalued their customer support experience, which can be a problem for all key manager users. When you have a problem with encryption or key management, it’s likely to affect your application service levels. Before acquiring your key management solution be sure to schedule time with the customer support group. Do they have a formal problem tracking system? Do you have access to all problem tickets you raise? Does the customer support group respond in a timely fashion? Is there a 24/7 response number? All of the normal customer support questions you might ask are relevant to a VMware key management solution. We all know what really bad customer support looks like, so be sure there is a good team standing behind the solution you deploy.
The modern enterprise is often geographically distributed, which can make deployment and training difficult. While VMware encryption key management solutions can be simple to deploy and configure, you may want to be sure your vendor can send staff on-site for support.
VMware virtualization has been a game-changing technology for IT, providing efficiencies and capabilities that have previously been impossible for organizations constrained within traditional IT data center worlds. With VMware, organizations are able to reduce hardware costs, lower operational cost, and gain a clear path to move to the cloud. With the addition of encryption, you can deploy secure environments where there is less risk of data loss in the event of a breach.
The Alliance Key Manager client-side applications, software libraries, and SDKs fully integrate with Alliance Key Manager for key protection, and work naturally with your SQL Server, MongoDB, Windows, and Linux VMware VMs. The solution offers unparalleled security, flexibility, and affordability for all users of VMware Enterprise database. With no client-side software to install, customers can deploy Alliance Key Manager and install the PKI certificates on the database server to easily begin retrieving encryption keys.
By deploying as a virtualized encryption key manager, enterprises are able to reduce hardware costs, lower operational costs, minimize the IT footprint, and have a clear path for a future move to the cloud. Using the same FIPS 140-2 compliant technology that is in our HSM and in use by over 3,000 customers, Townsend Security’s Alliance Key Manager for VMware brings a proven and mature encryption key management solution to VMware environments with a lower total cost of ownership.
The solution is available as a HSM, VMware instance, and in the cloud (Amazon Web Services, Microsoft Azure, IBM Cloud for VMware, and VMware vCloud), allowing organizations to meet compliance requirements (CCPA, PCI DSS, HIPAA, GDPR, etc.) and security best practices. Townsend Security offers a 30-day, fully-functional evaluation of Alliance Key Manager.
Supported Versions of VMware
Alliance Key Manager for VMware supports VMware ESX, VMware vSphere, vSAN, and vCloud.
VMware Technology Partner
Townsend Security is an Advanced tier VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status, and vSphere and vSAN certification. This designation indicates that after a detailed validation process Alliance Key Manager for VMware has achieved VMware’s highest level of endorsement.
Alliance Key Manager
“A very cost effective solution in terms of performance, manageability, security, and availability. As a result, my company was quickly able to implement full database encryption leveraging the AKM as our key management solution in weeks. Comparable solutions could have taken months.”
The solution offers unparalleled security, flexibility and affordability for all users of VMware. With no client-side software to install, customers can deploy Alliance Key Manager and install the PKI certificates on the database server to easily begin retrieving encryption keys.Alliance Key Manager is FIPS 140-2 compliant and in use by over 3,000 organizations worldwide. The solution is available as a hardware security module (HSM), VMware instance, and in the cloud (Amazon Web Services, Microsoft Azure, and VMware vCloud). Townsend Security offers a 30-day, fully-functional evaluation of Alliance Key Manager.