vmware encryption & key management · vmware vsphere encryption was first introduced in vsphere...
TRANSCRIPT
VMware virtualization has been a game-changing advancement for the IT industry. It has delivered efficiencies and capabilities that had previously been impossible for organizations struggling with constraints in the traditional IT data center world. When it comes to security, VMware is front and center in helping organizations secure their data from threats through encryption. One solution adds an important layer to VMware’s data security solution by giving enterprise organizations the ability to achieve the second critical function — manage their encryption keys. Use this guide to explore the key concepts of encrypting data in VMware and protecting encryption keys using a third-party enterprise encryption key management.
“
Page 2
Page 3
CONTENTS
Introduction 4
Why Encrypt in VMware 5
Deploying Encryption 7
VMware Encryption - A Unified Strategy for All Your Data 9
Components of a VMware Encryption Strategy 12
Deploying Key Management in VMware 13
NIST Standard AES Encryption 14
Encryption Key Management 15
Additional Key Management Standards & Validations 17
Compliance and VMware 18
Security Beyond Compliance 23
Critical Infrastructure 24
Vendor Considerations 25
Summary 27
Page 4
INTRODUCTION
THE VMWARE STORY BEGAN IN 1998 WHEN FIVE
forward-thinking technologists launched an
innovative virtualized computing solution.
Shortly there after, it was the first commercially
successful company to virtualize x86 architecture.
Today VMware is a top-tier cloud computing and
virtualization provider, and a popular solution for
organizations moving to the cloud. VMware’s desktop
software runs on Microsoft Windows, Linux, and
MacOS, while its enterprise software hypervisor for
servers, VMware ESXi, is a bare-metal hypervisor that
runs directly on server hardware without needing an
additional underlying OS.
In our increasingly insecure cyber world, VMware
understands the critical nature of robust security
solutions, including encryption capabilities. However,
applying security in a VMware environment
introduces unique challenges. Principally, in these
environments, systems are no longer dedicated
or share a common physical architecture. They
also face unique security challenges related to
running data processing and storage in the cloud.
Questions around deployment and how to get the
most out of native encryption tools are often barriers
to implementation. These issues not only present
new risks for data breaches, but also open up
organizations a higher risk of non-compliance with an
expanding body of regulatory directives.
Due to these issues and others, security of sensitive
data stored and processed on VMware virtual
machines (VMs) and in the cloud is a critical concern
for many customers. VMware customers need strong
encryption and key management solutions that run
natively in their virtual environments and provably
meet compliance regulations.
VMware vSphere encryption was first introduced in
vSphere 6.5 and vSAN 6.6; enabling encryption both
in virtual machines (VMs) and disk storage. It only
requires the vCenter vSphere Server, a third-party
Key Management Server (KMS), and ESXi hosts to
work. It is standards based, KMIP compatible, and
easy-to-deploy.
To provide insight on how to best deploy encryption
and encryption key management in VMware, this
comprehensive guide overviews the landscape for
securing data in a virtual world.
eBook:The Definitive Guide to Encryption Key Management Fundamentals
DOWNLOAD
Page 5
WHY ENCRYPT IN VMWARE
ENCRYPTING VIRTUAL MACHINGES (VMS) IS AN
important step organizations take to protect their
confidential applications and data. Encryption is a
mechanism used to protect data by transforming it
into an unreadable format, so that it is completely
private from anyone not explicitly
approved to read it through
decryption. Gaining access to
encrypted information requires a
person or application to possess
the “key” to open the encryption
formula and convert the data back
to its original readable format. In
this way, encryption provides a fail-safe mechanism,
whereby, if all other cybersecurity measures fail
and data is stolen, the information is still protected
because it is unreadable and, therefore, useless to
the person or machine trying to access it. The data
remains secure and compliant. VMware provides
several options for deploying encryption functionality.
Townsend Security’s Alliance Key Manager is a FIPS
140-2 compliant enterprise key manager that helps
organizations meet compliance requirements and
protect private information. The symmetric encryption
key management solution creates, manages, and
distributes 128-bit, 192-bit, and 256-bit AES keys for
any application or database running on any enterprise
operating system. Townsend Security deploys ready-
to-use security applications for vSphere, MongoDB,
Microsoft SQL Server Transparent Data Encryption
(TDE) and Cell Level Encryption (CLE), Microsoft
SharePoint encryption, and other applications. We also
provide client side applications, SDKs, and sample
code free of charge. The solution can be deployed in
VMware, the cloud (AWS or Microsoft Azure), or as a
hardware security module (HSM).
PROTECTING VMS AT REST AND IN TRANSITOne of the advantages of VMs is that they are
portable. Pick up a VM image and you can run it on
any physical server. However, this also means anyone
who has access to the image also has access to its
files and data. VMs are also vulnerable when a running
machine is transferred to another server. Anyone who
has access to the network will also have access to
the VM and its data. When using VMware, you can
use encryption to protect your VMs both at rest and in
transit, just like any other data you store and transmit.
ENCRYPTION IN VMWAREVMware includes encryption in vSphere 6.5, making it
easy to encrypt without using third-party hardware or
software. The encryption features protect both VMDK
images and vMotion transfers of VMs. Encryption
is fully managed by the hypervisor, so keys are not
known to the VM and there’s no potential exploit in
the guest OS. With Alliance Key Manager, you can
implement vSphere encryption to protect the VMs
at rest, and also implement database encryption
to protect the database. In some cases, this will
mean multiple layers of encryption, but this provides
additional layers of security.
Encryption & Tokenization:
Key Management:
Secure Communications:
Logging:
Authentication
eBook
Podcast
Video
Blog
White Paper
Solution Brief/Data Sheet
Case Study
Resource Kit
Page 6
ENCRYPTION KEYSEncrypting VMs relies on keys, so you need to have
and encryption key manager (software or hardware)
when using VM encryption. Without keys, encrypted
VM files cannot be read or
executed. When encrypting a VM,
the disk files, snapshots, swap
files, and dumps are all protected.
A few remaining configuration
and log files are not encrypted,
because they aren’t sensitive or
don’t support operations that have to execute the
encryption status of the disks. VMware does report
some minimal overhead from deploying decryption
operations. However, if performance remains a
concern, running it on servers that support AES-NI
instructions speeds up the encryption process.
When encrypting VMs on vMotion, a random one-
time key is generated and sent to the hosts involved
in the vMotion process. In this case, it’s not the
network that’s protected, but the VM itself. As a result,
snooping is not possible. Further, certificates are
not required, and users don’t need to worry about
network settings. Encrypted VMs require encrypted
vMotion, but you can use encrypted vMotion, even on
unencrypted VMs. To ensure high availability, VMware
uses automatic failover for key management through
the definition of vSphere KMS Clusters.
vSphere allows users to control whether encryption
is applied to a VM’s virtual disks or configuration files
through storage policies. You also have control over
who can manage the encryption in VMware. It isn’t
necessary, or even advisable, to grant encryption
privileges to every VM administrator. Restricting this
critical function enhances your security posture.
“Encrypting VMs relies on keys, so you need to have and encryption key
manager (software or hardware) when using VM encryption. Without keys,
encrypted VM files cannot be read or executed.”
WHY ENCRYPT IN VMWARE (CONT)
Encryption & Tokenization:
Key Management:
Secure Communications:
Logging:
Authentication
eBook
Podcast
Video
Blog
White Paper
Solution Brief/Data Sheet
Case Study
Resource Kit
Page 7
DEPLOYING ENCRYPTION
HOW TO DEPLOY VSPHERE VM ENCRYPTIONWith vSphere 6.5 and above, you can now encrypt
your VMs to help protect sensitive data-at-rest and
to meet compliance regulations. vSphere encryption
allows you to encrypt existing virtual machines as well
as encrypt new VMs right out of the box.
Additionally, vSphere VM encryption not only protects
your virtual machine but can also encrypt your other
associated files. So, how does vSphere encryption
work?
• First, install and configure your KMIP compliant key
management server (KMS), such as our Alliance Key
Manager, and register it to the vSphere KMS Cluster.
• Next, you must set up the KMS cluster. When you
add a KMS cluster, vCenter will prompt you to make
it the default. vCenter will provision the encryption
keys from the cluster you designate as the default.
• Then, when encrypting, the ESXi host generates
internal DEKs to encrypt the VMs, files, and disks.
• The vCenter Server then requests a key from
Alliance Key Manager. This key is used as the KEK.
• ESXi then uses the KEK to encrypt the DEK and only
the encrypted DEK is stored locally on the disk along
with the KEK ID.
• The KEK is safely stored in Alliance Key Manager.
ESXi never stores the KEK on disk. Instead, vCenter
Server stores the KEK ID for future reference. This
way, your encrypted data stays safe even if you
lose a backup or a hacker accesses your VMware
environment.
VSPHERE VM ENCRYPTION BEST PRACTICESVMs are a powerful tool that helps
you realize greater IT efficiencies,
reduced operating costs, and
achieve unmatched flexibility.
Because of this, organizations
typically have mission-critical
information in VMs. This means that getting encryption
right the first time is paramount.
• As you begin your VM encryption project, keep
these in mind to avoid some of the common pitfalls:
• Do not encrypt any vCenter Server Appliance VMs.
These are vital to the functioning of VMware and
should never be encrypted.
• Do not edit either VMX files or VMDK descriptor
files as they contain the encryption bundle. Your
changes may make the VM unrecoverable.
• Always designate a high availability failover key
manager in your KMS cluster. If your primary key
server goes down with no failover key server in
place, your encrypted VMs will be unable to be
decrypted.
• Once you name your key management server
(KMS) cluster, do not rename it. If you change the
name of the KMS cluster (one that is in use), the ESXi
host will be unable to find the KMS and a VM that is
encrypted with a key encryption key (KEK) from that
KMS will be unable to be decrypted.
• Once you encrypt a virtual machine, you cannot
relocate the VM to a host that does not have the
key ID information. Only a ESXi host with the key
ID information for that VM can properly locate the
encryption key for decryption.
Page 8
HOW TO DEPLOY VSAN ENCRYPTIONvSAN encryption is easy to enable and use. This
means that securing your sensitive data with AES
encryption is not a time-intensive task. To prove the
point, here is a quick guide to getting encryption up
and running for your vSAN clusters:
• First, install and configure your key management
server (such as our Alliance Key Manager) and add
its network address and port information to the
vCenter KMS Cluster.
• Then, you will need to set up a domain of trust
between vCenter Server, your KMS, and your vSAN
host.
• You will do this by exchanging administrative
certificates between your KMS and vCenter Server
to establish trust.
• Then, vCenter Server will pass the KMS connection
data to the vSAN host.
• From there, the vSAN host will only request keys
from that trusted KMS.
• The ESXi host generates internal keys to encrypt
each disk, generating a new key for each disk.
These are known as the data encryption keys, or
DEKs.
• The vCenter Server then requests a key from the
KMS. This key is used by the ESXi host as the key
encryption key, or KEK.
• The ESXi host then uses the KEK to encrypt the DEK
and only the encrypted DEK is stored locally on the
disk.
• The KEK is safely stored separately from the data
and DEK in the KMS.
• Additionally, the KMS also creates a host encryption
key, or HEK, for encrypting core dumps. The HEK is
managed within the KMS to ensure you can secure
the core dump and manage who can access the
data.
That’s it! VMware has made encrypting your data in
vSAN both simple and secure.
VSAN ENCRYPTION BEST PRACTICESvSAN is powerful hyper-converged infrastructure that
offers you greater performance and high scalability.
vSAN encryption is easy to deploy but does have a
few considerations in order to avoid issues down the
road. Before you begin your vSAN encryption project,
consider these VMware best practices:
• Do not deploy your KMS server on the same vSAN
datastore that you are encrypting. This will encrypt
your key managers and in some cases render them
useless in recovery scenarios.
• Encryption can be CPU intensive. For vSAN
encryption, make sure AES-NI is enabled. It can
significantly improve encryption performance.
• You should ensure that your Core dumps are
encrypted. They can contain sensitive information
such as encryption keys.
• When you decrypt a core dump, you should handle
it as if it contains sensitive information. Core dumps
may contain encryption keys either for the vSAN
host and/or the data on it.
DEPLOYING ENCRYPTION (CONT)
Page 9
VMWARE ENCRYPTION - A UNIFIED STRATEGY FOR ALL YOUR DATA
VMWARE ENCRYPTION ALLOWS ORGANIZATIONS
to uniformly manage their encryption for both VMs
and vSAN and ensure that all sensitive data within
VMware is secured; enabling them to create a unified
encryption strategy for their sensitive data. Let’s
look at some of the main advantages that VMware
encryption
provides:
• Encryption is
configured and
managed at
the hypervisor
level, not within
an individual
VM or vSAN
cluster.
• vSphere
encryption
is agnostic
in regards to
what is stored.
• There are not multiple encryption products for each
guest OS, database, or application.
• Encryption is policy based. Applying it, then, can be
done to as many or few VMs or vSAN clusters that
you want.
• You can bring your prefered key manager to
manage your encryption keys. Since vSphere
encryption is KMIP 1.1 compatible, you are free to use
a FIPS 140-2 compliant encryption key manager, like
Alliance Key Manager.
This is also good news if you have databases that
do not have easy-to-deploy encryption or their
encryption involves a costly upgrade. With VMware,
transparent data encryption comes standard and
ready-to-use. If you have sensitive data, VMware
has an easy, secure, and standards based way to
encrypt it.
That being
said, your data
doesn’t just
live in one
environment.
When
choosing which
third-party
encryption key
management
vendor to
protect your
VMware
encryption, you should also think about your
sensitive data everywhere. The ideal key
management solution provides high availability,
standards-based enterprise encryption key
management to a wide range of applications and
databases.
Page 10
MICROSOFT SQL SERVERIn Standard edition before
2019, you’ll need to encrypt
at the application level or
with a third-party encryption
solution. In Enterprise
edition starting in 2008 and
in Standard edition 2019,
SQL Server has Transparent Data Encryption (TDE),
Cell Level Encryption (CLE), and Extensible Key
Manager (EKM). EKM enables SQL Server to utilize
EKM providers offered by third-party encryption key
management vendors. Townsend Security has an EKM
provider.
You need three things to properly protect sensitive
data: A key management solution to protect the
critical encryption keys, an encryption solution for the
SQL Server database, and they have to talk to each
other. For the first part, the Alliance Key Manager for
VMware solution provides a fully functional, enterprise
key management solution that protects SQL Server
databases. For encrypting SQL Server, the Alliance
Key Manager solution comes with a full Microsoft SQL
Server Extensible Key Management Provider, called
Key Connection for SQL Server.
MONGODBMongoDB offers AES
encryption as part of the
WiredTiger Storage Engine
in the Enterprise edition of their offering. There
are two options for storing encryption keys: In the
database, in the clear; Or by using KMIP and a key
manager (MongoDB strongly recommends the use of
a key management solution). Alliance Key Manager
is certified by MongoDB for use with the MongoDB
Enterprise database to protect data-at-rest.
MYSQLMySQL Enterprise provides
encryption support directly
in the database engine using
industry standard 256-bit AES
encryption. It allows MySQL
Enterprise customers to meet
a wide variety of compliance regulations including PCI
DSS, GDPR, CCPA, HIPAA, FISMA, and many others.
For encryption key management MySQL recommends
the use of an external encryption key management
solution like Alliance Key Manager, and uses the
industry standard Key Management Interoperability
Protocol (KMIP) to access encryption keys.
WEB APPLICATIONS
DRUPALThere is no native encryption in Drupal
core. Users need to install modules, such
as Key, Encrypt, and Townsend Security’s
Key Connection For Drupal to encrypt
private data in Drupal.
A UNIFIED STRATEGY FOR ALL YOUR DATA (CONT)
Page 11
WORDPRESSAs with Drupal, WordPress does not
come with native encryption. But, there
are plugins that not only provided 256 bit
AES encryption but the means to properly
manage the keys.
WINDOWS IISEncryption needs to be done at the
application level. This can be facilitated
through the use of the Alliance Key
Management Windows .NET SDK.
SOFTWARE DEVELOPER KITS (SDKS)
JAVA, .NET, PHP, PYTHON, PERL, ETC.
VMware offers release notes, developer guides, API
references, and other documentation for current and
past versions of API and SDK
sets. Businesses who aren’t able
or don’t want to encrypt at the
database level have options to
encrypt at the application level.
Good key management vendors
(such as Townsend Security)
offer SDKs and sample code to make encryption at
the application level easy.
WINDOWSAlliance Key Manager protects Windows .NET Client
software with encryption and key management for
applications. You can add the Townsend Security
Windows .NET Client Assembly to your Windows
projects to encrypt data at the application level.
LINUXLinux applications use a variety of database and
storage methods that include MySQL, MongoDB,
PostgreSQL, Amazon S3 and RDS, and many others.
Like any application deployed on any operating
system and storage mechanism, Linux applications
need to protect sensitive data at rest using strong
encryption.
A UNIFIED STRATEGY FOR ALL YOUR DATA (CONT)
“Townsend Security collaborates with
developers and IT professionals around
the world. We know that developers use a wide
variety of languages and platforms to accomplish
their work.”
Page 12
COMPONENTS OF A VMWARE ENCRYPTION STRATEGY
COMPONENTS OF A VMWARE ENCRYPTION STRATEGYThe most effective way to secure data and ensure
a company’s integrity is to deploy encryption. For
any encryption deployment, there are two major
components:
1. Encryption of the sensitive data, usually in a
Windows or Linux VM
2. Protection of the encryption keys through
robust key management solutions
vSphere VM and vSAN encryption enables creation of
encrypted VMs or virtual disk storage and can encrypt
existing VMs, along with virtual disks, and host core
dump files. Because all files that contain sensitive
information are encrypted, the entire VM or virtual
disk is protected. Only administrators with encryption
privileges can perform encryption and decryption
tasks. Some files associated with a VM or virtual disk
are not encrypted or are partially encrypted, because
they don’t contain sensitive information, including log,
VM configuration, and virtual disk descriptor files.
Three major components are used for encryption
in VMware: a Key Management Server, a VMware
vCenter Server®, and ESXi Hosts.
KEY MANAGEMENT SERVER (KMS)Encryption key management is the method used
to protect and manage your encryption keys. The
vCenter Server instance requests keys from an
external KMS. The KMS generates and stores key
encryption keys KEKs and passes them to the vCenter
Server instance for distribution. As a KMIP client, the
vCenter Server system uses that protocol to facilitate
use of the chosen KMS.
VMWARE VCENTER SERVER®The vCenter Server instance obtains keys from the
KMS and transfers them to the ESXi hosts. It does not
store or persist the KMS keys, but keeps a list of key
IDs. The vCenter Server system checks the privileges
of users who perform cryptographic operations.
VMware vSphere Web Client assigns cryptographic
operation privileges and limits the users who can
perform these operations. The vCenter Server system
adds cryptography events to the list of events that can
be viewed and exported from the vSphere Web Client
event console. Each event includes the user, time, key
ID, and cryptographic operation.
ESXI HOSTSThe ESXi host is responsible for several aspects of the
encryption workflow:
• Performs the encryption of VM disks
• Ensures that guest data for encrypted VMs is
not sent over the network without encryption
Encryption is performed by the industry-standard
OpenSSL libraries and algorithms. VM encryption does
not impose any new hardware requirements, but uses
a processor that supports the AES-NI instruction set to
accelerate encryption and decryption operations.
Page 13
DEPLOYING KEY MANAGEMENT IN VMWARE
1] Identify and document trusted and un-trusted
applications.
Properly identifying application groups based on the
level of trust is critical for a secure implementation
of virtualized applications and encryption key
management services.
2] Restrict physical access.
Fundamental to all IT security implementations is
proper security of the physical environment. This
means proper physical security controls and data
center monitoring, as well as robust auditing and
procedural controls. These physical controls should
also apply to VMware management and security
applications access.
3] Isolate security functions.
Because security applications are often a target of
cyber-criminals, you should isolate them into their own
security workgroup and implement the highest level of
VMware security. Only trusted VMware administrators
should have access rights to the encryption key
management solution, system logs, and audit reports.
Actively monitor access to and use of all encryption
key management, key retrieval, and encryption
services.
4] Change VMware default passwords.
Review all VMware applications used to secure and
manage your VMware environment and change the
default passwords as recommended by VMware.
Failure to change default passwords is one of the
most common causes of security breaches.
5] Implement network segmentation.
You should implement network segmentation to
isolate applications that process sensitive information
from applications that do not require as high a level
of trust. Additionally, you should provide network
segmentation for all third-party security applications,
such as your encryption and key management
solution. Network segmentation is easy to
accomplish with VMware network management and
security applications. Do not rely on virtual network
segmentation alone; use firewalls that are capable of
properly securing virtual networks.
6] Implement defense in-depth.
VMware management and security applications
provide for a high level of security and monitoring.
They also include hooks and integration with third-
party security applications that provide system log
collection, active monitoring, intrusion detection, etc.
7] Monitor VMware admin activity.
Use an appropriate SIEM solution to collect VMware
application and ESXi hypervisor system logs and
perform active monitoring. The log collection and
SIEM active monitoring solutions should be isolated
into a security workgroup that contains other third-
party security applications, such as Townsend
Security’s Alliance Key Manager.
Page 14
WHEN EVALUATING YOUR VM SOLUTION
When evaluating both your encryption and key
management solutions, it’s important to look for
certain certifications and validations.
One of these is from National
Institute of Standards and
Technology (NIST): NIST
FIPS-197 which validates
AES encryption. Why is
verifying that your data is secured with AES encryption
important? AES encryption uses a single, randomly
generated key as a part of the encryption/decryption
process and goes through up to 14 steps to encrypt
the plaintext. This means that the only way to feasibly
attack AES encryption is to guess or steal the
encryption key. Given that the fastest computer would
take billions of years to run through every permutation
of a 256-bit AES key, the only reasonable way to
break AES encryption is to steal the key.
That is why VMware also requires that you manage
encryption keys according to NIST guidelines:
ENCRYPTION KEY MANAGEMENTFIPS 140-2 certification
ensures that the key
management software
has been tested by
third parties to meet the
highest standards in key management technology, so
you can establish strong key management. VMware
NIST STANDARD AES ENCRYPTION
OpenSSL FIPS Object Module meets the security
requirements of Federal Information Processing
Standards (FIPS) Publication 140-2, which details the
U.S. and Canadian Government requirements for
cryptographic modules. For VMware customers, FIPS
140-2 compliant encryption and key management are
a key defense for data security.
CONTINUOUS MONITORINGRecognizing that each organization must take
responsibility for its data no matter where it resides,
the NIST standard calls for continuous monitoring
of key management. This requires organizations to
continuously monitor their environments to ensure
their infrastructure, applications, and data remain in a
secure state. VMware’s security functionality supports
continuous monitoring.
AUDITINGThe NIST standard calls for auditing to bring
transparency to security operations. Your key
management solution needs to support active
collection and monitoring of audit and OS logs. The
logs should integrate with your log collection and
SIEM active monitoring systems. Built-in logging
allows administrators to track all key retrieval, key
management, and systems activity. In VMware,
reports can be sent automatically to a central log
management database or SIEM products for a timely
and permanent record of activity. A KMS should audit
all administrative and user functions, including both
successful and failed operations, for security-relevant
events. This includes detecting and recording the
events, date and time of the events, and the identity or
role of the entity initiating the events.
Page 15
EncryptionKey
Lifecycle
Key Generation
Pre-Activation
Activation
Expiration
Post-Activation
Escrow
Destruction
ONCE DATA IS ENCRYPTED, YOUR PRIVATE
information depends on enterprise-level key
management to keep that data safe. Without key
management, encryption stands alone as only half
of a solution. Encryption key management involves
administering the full lifecycle of cryptographic keys
and protecting them from loss or misuse. Protection
of the encryption keys includes limiting access to
the keys physically, logically, and through user/role
access.
ENCRYPTION KEY LIFECYCLEA critical administrative component to encryption key
management is the ability to manage the complete
encryption key lifecycle. NIST defines all stages
of a key’s lifecyle, including key generation, pre-
activation, activation, distribution, revocation, post-
activation, backup, escrow, and deletion. Through an
administrative console, security administrators should
be able to implement controls that allow access to
keys by designating key users or user groups. They
should also be able to set automatic key rotation
policies, so that keys are retired and rolled over after
any period of time. These controls help organizations
ENCRYPTION KEY MANAGEMENT
meet data security requirements for some regulated
industries. For example, the PCI DSS outlines key
management requirements for cardholders or
processors that can typically only be met using an
enterprise-level encryption key management solution.
POLICY-BASED CONTROLSBeyond managing the key lifecycle, an enterprise key
manager should actively audit and log all activity and
functions performed on the key management server,
and record these logs to an external event monitoring
or logging server so that malicious activity can be
detected in real time. Your key management solution
should be compatible with common event-monitoring
solutions and export logs in standardized formats in
real-time. Also, your key management solution should
also inherently enforce policy-based security functions
that meet key management best practices such as
separation of duties and dual control.
SEPARATION OF DUTIESSeparation of duties ensures that no single person
controls multiple key management procedures and
subsequent distribution of an encryption key. The
person requesting the key and the person managing
the key should be two different people. Dual control
prevents any single person from controlling a key
management process. For example, two security
administrators should be required to authenticate
access to the key server. While these policy-based
controls are sometimes optional, they should always
be available and easy to implement in your encryption
key management solution.
Page 16
BEST PRACTICES FOR KEY PROTECTIONThere are several key management best practices
that will ensure optimal key management performance
and enforcement. On a technological and physical
level, encryption keys should be stored in a logically
or physically separate hardware or virtual key server,
dedicated to performing only key management
activities. The key manager should house a FIPS
140-2 validated pseudo-random number generator
to create new keys and store those keys in a
secure key database. Once generated and in use,
encryption keys should be distributed for use over a
secure Transport Layer Security (TLS) session using
certificates to authenticate the user requesting the
encryption key.
Also, enterprise key managers should perform
real-time backup and high availability functions to
prevent downtime and ensure business continuity.
To accomplish this, each key server should perform
active-active mirroring to one or more high availability
servers as well as perform routine, automated
backups to secure storage drives.
ENCRYPTION KEY MANAGEMENT (CONT)
“When you leave the keys to unlock your sensitive business and customer
data exposed, then you expose your entire
organization to the risk of data loss or theft.”
Page 17
ADDITIONAL KEY MANAGEMENT STANDARDS AND VALIDATIONS
KEY MANAGEMENT INTEROPERABILITY PROTOCOL (KMIP)VMware allows users to manage encryption keys
using a third-party key management vendor through
a standard key management protocol called KMIP.
All of VMware’s KMS
Certification tests
contained in KMS
plug-ins verify that
the vendor’s KMIP
KMS works with vSphere storage encryption feature
and vSAN virtual disk. Testing consists of verifying the
correct behavior of a KMS, ensuring that it does not
introduce undesirable impacts on the operation of the
system. VMware supports two types of KMIP:
Switch-Based Encryption
With this method, the data leaves the host and travels
in the clear until it reaches a switch, which then
performs the encryption before sending the data on to
the storage array. The switch might be a Fibre Channel
switch or, in the case of NFS, a network switch. The
switch typically also integrates with an external, KMIP-
compliant key manager.
Array-Based Encryption
With array-based encryption, the controller in a
storage array encrypts the data as it is written to
the disks. Encryption can be performed via custom
application-specific integrated circuits (ASICs) in
hardware or software. In both cases, key management
can be achieved via an onboard key manager or
through the use of an external KMIP-compliant key
manager.
PCI DATA SECURITY STANDARD (PCI DSS)VMware meets the standards of the PCI DSS, which
was developed to encourage and enhance cardholder
data security and facilitate the broad adoption of
consistent data security measures globally. For
VMware users who need to meet compliance, Alliance
Key Manager has been validated for PCI DSS in
VMware by Coalfire, a PCI-qualified QSA assessor and
independent IT and audit firm. Additionally, Alliance
Key Manager for VMware can also help businesses
meet other compliance regulations such as CCPA,
HIPAA, GLBA/FFIEC, FISMA, etc.
Page 18
COMPLIANCE & VMWARE
FOR MANY BUSINESSES, STORING OR
processing credit card numbers, financial information,
healthcare data, and other personally identifiable
information (PII) in a virtual, shared environment is
the norm. The challenge is meeting data security
requirements and preventing unwanted access to
sensitive data. The lack of compliance and failure
to implement and execute a well-planned security
strategy may lead to a breach in security resulting in
data spillage, data compromise, loss of data integrity,
loss of customer trust, legal actions, revenue loss, and
even loss of business.
Industry and regulatory compliance standards help
protect computing assets from multiple security
vulnerabilities and misconfigurations, and minimize the
risk in execution environments, such as development,
test, and production.
With VMware, organizations that want to protect
sensitive data can use encryption and key
management to secure data, comply with industry
security standards, protect against data loss, and
help prevent data breaches. When considering
encryption options, organizations must consider both
governmental and private compliance regulations
that require them to protect sensitive information.
Most regulations require proper protection of PII. For
example, the European Union General Data Protection
Regulation (GDPR) imposes multiple demands upon
global companies to protect the personal data of all
European Union (EU) residents. The Payment Card
Industry Data Security Standards (PCI DSS) requires
that credit card numbers be encrypted in storage. The
Health Insurance Portability and Accountability Act
and Health Information Technology for Economic and
Clinical Health Acts (HIPAA/HITECH) require protection
of Electronic Protected Health Information (ePHI).
These are just three of the many compliance
regulations that today’s organizations must consider
in their cybersecurity programs to ensure that they
are in continual compliance with all of the relevant
regulations as they change and expand.
VMWARE AND GDPRIn response to escalating external and internal threats
and uncertainty, lawmakers and regulators around
the world have been strengthening their data security
compliance requirements, implementing new legal
frameworks and levying higher noncompliance
penalties. This places organizations at tremendous
risk for compliance violations, along with the resulting
fines and remediation costs. On May 25th, 2018, the
European Union made securing citizens’ data an
even bigger challenge for companies doing business
that involves handling their citizens’ data. That was
launch day for the new European Union General Data
Protection Regulation (GDPR).
Page 19
COMPLIANCE & VMWARE (CONT)
The GDPR attempts to unify data protection laws
in Europe and ensure that citizens’ rights and
protections have a global impact. One area of
concern for EU countries, among many, is the fact
that U.S.-based cloud vendors can be subpoenaed
by U.S. governments to provide access to specific
information, even if it resides outside of the U.S. With
this regulation, every organization will be forced to
comply or face penalties, including damaging fines
and even losing the opportunity to work within the
EU. Specifically, the GDPR’s “right to be forgotten”
rule provides individuals with specific rights to control
the processing of their personal data and sets a new
standard for protection of an individual’s personal
data. Among the EU regulations is the rule that all
customer and employee data must not be accessible
to anyone outside of their home legal jurisdiction,
except when given explicit consent on a per usage
basis.
VMware Cloud on AWS, as an example, has been
independently verified by Schellman & Company,
LLC, to comply with the GDPR. In the language of the
GDPR, when providing services to its customers via
the VMware Cloud on AWS service offering, VMware
is acting as a “data processor.” VMware’s customers
may perform customer-defined data processing
activities in relation to their own data within the
services and, in doing so, act as “data controllers.”
Data controllers may only appoint data processors
who provide sufficient guarantees to implement
appropriate technical and organizational measures to
ensure processing meets GDPR’s requirements. GDPR
also requires resilient and recoverable architectures to
prevent unavailability of data. To support this directive,
key managers should implement HA services to
ensure high availability.
Encryption and key management can help meet
GDPR’s privacy requirements, as well as citizens’
right of erasure (right to be forgotten). While the EU
does not mandate that all organizations encrypt
sensitive data, there is an exclusion for subject data
breach notification and financial penalties for those
organizations that use encryption and other security
methods to protect the data. Thanks to VMware’s
wide-ranging focus on security, implementing
encryption and key management tools will help users
meet requirements for GDPR.
VMWARE AND PCI DSSWith all of the security breaches in the news and
the occurrence of these incidents becoming more
widespread, how can you ensure that your customers’
credit card information remains secure? This is the
purpose of Payment Card Industry Data Security
Standard (PCI DSS), which impacts all merchants who
accept credit cards. PCI DSS requires merchants to
protect sensitive cardholder information from loss,
and use good security practices to detect and protect
against security breaches. PCI DSS is applicable to all
types of environments that store, process, or transmit
cardholder data. This includes information such as
2
PCI DSS Prioritized Approach for PCI DSS 3.2
© 2016 PCI Security Standards Council LLC. The intent of this document is to provide supplemental information, which does not replace or supersede PCI SSC Security Standards or their supporting documents.May 2016
Disclaimer
To achieve PCI DSS compliance, an organization must meet all PCI DSS requirements, regardless of the order in which they are satisfied or whether the organization seeking compliance follows the PCI DSS Prioritized Approach. This document does not modify or abridge the PCI DSS or any of its requirements, and may be changed without notice. PCI SSC is not responsible for errors or damages of any kind resulting from the use of the information contained herein. PCI SSC makes no warranty, guarantee, or representation whatsoever regarding the information provided herein, and assumes no responsibility or liability regarding the use or misuse of such information.
Milestones for Prioritizing PCI DSS Compliance Efforts
The Prioritized Approach includes six milestones. The matrix below summarizes the high-level goals and intentions of each milestone. The rest of this document maps the milestones to each of all twelve PCI DSS requirements and their sub-requirements.
Milestone Goals
1
Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it
2Protect systems and networks, and be prepared to respond to a system breach. This milestone targets controls for points of access to most compromises, and the processes for responding.
3Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data.
4Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment.
5Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data.
6Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements, and to finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.
PCI SSC FOUNDERS
PARTICIPATING ORGANIZATIONS
Merchants, banks, processors, developers and point of sale
vendors
PCI DSS COMPLIANCE IS ACONTINUOUS PROCESS
ASSESS
REMEDIATEREPORT
Page 20
COMPLIANCE & VMWARE (CONT)
Primary Account Numbers (PAN). PCI DSS Section 3
outlines requirements for encryption/key management
protocols.
Even with this mandatory requirement, a vast
majority of organizations still struggle to maintain PCI
compliance, and the process is costing companies
a great deal both to address the root cause of PCI
audit failures and in, often severe, non-compliance
fees. By proactively assessing their weakness around
PCI compliance, and installing the cybersecurity
solutions that can mitigate data breaches, companies
will ensure their own data security and, therefore,
compliance.
For these reasons, VMware offers a wide range
of cybersecurity services and documentation to
support and help organizations secure their data. For
example, VMware has enlisted its Audit Partners, such
as Coalfire, a PCI DSS-approved Qualified Security
Assessor, to engage in a programmatic approach
to evaluate VMware products and solutions for PCI
DSS control capabilities, and then to document
these capabilities in a set of reference architecture
documents.
VMware also provides customers with access to
vRealize Air Compliance, which assesses VMware
vSphere-based virtualized environments according
to specific compliance standards and risk profiles.
Some of the available standards and profiles include
multiple versions of the VMware vSphere Hardening
Guide, PCI DSS 3.2, and HIPAA technical safeguards.
Users can continuously assess their vCenter Server
instances, ESXi hosts, VMs, and distributed port
groups to ensure that they comply with the technical
controls defined in the industry standards.
From a high level, the VMware software-defined
data center (SDDC) provides software-defined
infrastructures, software-defined networking, and
management and security technologies capable of
supporting, adhering to, and/or addressing control
objectives relevant to PCI DSS to enable platform
support of cardholder data environments (CDE).
VMware EUC provides secure delivery mechanisms
for any application, to any device, anywhere. Further,
VMware’s vast network of partners provides added
value with technologies capable of being inserted
seamlessly and holistically to address additional
requirements and enhance security.
PRODUCT APPLICABILITY GUIDE FOR PCI DSS Working with Coalfire, a PCI-qualified QSA assessor and independent IT audit firm, we have released our PCI DSS Product Applicability Guide.
DOWNLOAD
Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0
April 2015 v1.0
Product Applicability Guide
Page 21
COMPLIANCE & VMWARE (CONT)
VMWARE AND HIPAAThe Health Insurance
Portability and Accountability
Act and Health Information
Technology for Economic
and Clinical Health Act (HIPAA/HITECH) outlines data
security regulations for the healthcare industry. While
the HIPAA/HITECH does not specifically require
encryption of sensitive data, a backdoor “safe harbor”
mandate states that if a healthcare organization or
one of its Business Associates (BA) does experience a
data breach, and Protected Health Information (PHI) is
not obscured using encryption or some other method,
then that organization will be heavily penalized.
This is especially important when the outcomes for
noncompliance are extremely critical due to civil
and criminal penalties imposed by the Office for
Civil Rights (OCR) Department of Health and Human
Services (HHS), and the U.S. Department of Justice
(DOJ). What’s more, there is a high probability for
collateral impact due to failure to protect patient
privacy, institutional trust, and economics. In extreme
cases of breach or data loss, the fines and penalties
are minor compared to the potential for litigation,
recompense, and public relations improvements.
Compliance with the HIPAA Security Rules and
HIPAA Privacy Rules for Electronic Protected Health
Information (ePHI) requires the use of many security
technologies and best practices to demonstrate
strong efforts towards complying with this federal
regulation. The ability to effectively secure ePHI and
audit IT and security operations may involve both
strong encryption and real-time and historical activity
logs that relate to many systems.
VMware recognizes the following as critical areas
that must be addressed by each covered entity
and BA in the operation of healthcare information
systems: security and compliance, the criticality
and vulnerability of the assets needed to manage
ePHI infrastructures, and the risks to which they are
exposed. This approach provides management, IT
architects, administrators, and auditors with high
degrees of transparency into risks, solutions, and
mitigation strategies for moving critical applications
to the cloud in secure and compliant ways. By
standardizing an approach to compliance and
expanding the approach to include partners, VMware
provides its customers a proven solution that more
fully addresses their compliance needs.
Organizations can reduce the complexity and
cost of HIPAA Security Rule compliance by
replacing traditional non-integrated products
with integrated solutions. To further address this
gap, VMware, together with the VMware partner
ecosystem delivers compliance-oriented integrated
solutions, enabling compliance by automating the
deployment, provisioning, and operation of regulated
environments. In this way, VMware provides the
solution reference architecture, HIPAA Security
Rule specific guidance, and software solutions that
businesses require to achieve continuous compliance,
along with speed, efficiency, and agility for their
applications.
Page 22
COMPLIANCE & VMWARE (CONT)
VMWARE AND CALIFORNIA CONSUMER PRIVACY ACT (CCPA)Do I need to comply? If you collect data on people
who are in California, and meet the minimum criteria
(see below), and are not explicitly excluded, you must
meet the requirements of the new law. Notice, this
does not just apply to “California citizens”, but people
who are in the state at the time of data collection. You
are not exempt if your organization resides outside of
California. If you collect data on people in California,
assume you are covered by the law.
If you meet any of these criteria, you are required to
meet the new CCPA law:
• You have $25 Million or more in annual revenue
• You collect information on 50,000 or more people
• You derive 50 percent or more of your revenue
selling personal information to third parties
The law applies to both public and private
organizations. There are some exclusions in the law:
If your organization is already covered by equivalent
privacy regulations such as HIPAA, GLBA, and others,
you may be exempt. Don’t be fooled into a sense
of complacency about this. The CCPA has privacy
regulations that are not covered under those laws.
If you think you are exempt, get legal advice on this
point.
What information does it cover? The personal
information covered by the CCPA is quite broad and
extends into areas not covered under GDPR and
other regulations. The current definition of sensitive
consumer data includes:
• Identifiers such as a real name, alias, postal
address, unique personal identifier, online identifier
IP address, email address, account name, Social
Security number, driver’s license number, passport
number, or other similar identifiers.
• Personal and commercial behaviors, and inferences
from them.
• Characteristics of protected classifications under
California or federal law
• Commercial information including records of
personal property, products or services purchased,
obtained or considered, or other purchasing or
consuming histories or tendencies
• Biometric information
• Internet or other electronic network activity
information including, but not limited to, browsing
history, search history and information regarding a
consumer’s interaction with a website, application or
advertisement
• Geolocation data
• Professional or employment-related information
• Education information
Am I required to encrypt sensitive data? If you want
to avoid the risk of direct or class action litigation
related to data loss you should encrypt the sensitive
data. Individual and class action litigation only applies
to unencrypted sensitive data that is disclosed or lost.
The CCPA is clear on the need for encryption. If you
lose unencrypted sensitive data this is direct evidence
that you violated your duty to provide reasonable
security procedures and practices to protect the
sensitive information. See section 1798.150(a)(1).
ALONG WITH REGULATORY COMPLIANCE, THERE
are many other reasons to optimize data security
in VMware — including intellectual property and
reputation protection.
INTELLECTUAL PROPERTY PROTECTION (IP)Whether it’s the plans for a new
product, proprietary schematics
for an existing product, or
information that exposes
your business processes,
your business has a lot of IP
information you want kept secret.
Most companies place a priority
on protecting PII, PHI, or CHD. But there is a lot of
other information that could hurt, even cripple your
company, should it get out. In fact, Deloitte estimates
that IP data can constitute more than 80 percent of an
enterprise company’s value.
That is why encryption should be thought of as a
company wide initiative. Below is a short (and certainly
not exhaustive) list of items that your company should
be encrypting:
• Product/Solution Documents: If you rely on
proprietary information to give you a competitive
advantage in the marketplace, you need to encrypt
any information that would give your competition a
window into how your products or solutions work.
• Research and Development (R&D) Data: In the
same vein, any R&D you are conducting is your
Page 23
SECURITY BEYOND COMPLIANCE
advantage in tomorrow’s competitive landscape.
Don’t let it be stolen from you because you did not
properly secure it.
• Financial Reports: Most companies would love
to spy on their competitors financial statements.
Encrypt anything that could give you current financial
position away.
• Legal Documentation: There is a lot of
documentation, that if made public, could tarnish a
company’s reputation. You and your company need
full confidence that what happens in the boardroom
or HR office stays there.
REPUTATION PROTECTIONA study sponsored by VMware
and conducted by The
Economist Intelligence Unit
(EIU) found that reputational
risk was C-suite executives’
greatest cybersecurity concern.
A company or organization’s brand is the most
valuable asset, because it touches all aspects of the
enterprise, including growth and revenue. Further, the
negative perception extends to a company’s products
and services. Cyber attacks are also damaging to a
company’s reputation, because it is not contained to
the company itself — attacks also expose customers
to the risk of identity theft or financial losses. Brand
reputation is a fragile asset that, when compromised,
is not easy to fix. It can take decades to build your
reputation and consumer trust.
Page 24
CRITICAL INFRASTRUCTURE
WITH ALLIANCE KEY MANAGER, WE HAVE DONE
a lot to help companies deal with the concern about
resilience of a key manager, because it is critical
infrastructure including the following:
HARDWARE AND SOFTWARE RESILIENCEIf you are properly protecting keys, an encryption
key management solution becomes a part of your
critical infrastructure. But if your key manager goes
down, your applications stop functioning until you
have key management back up. Alliance Key Manager
addresses those concerns in a number of ways. One
way is that the key manager is built for redundancy.
We know that hardware can fail, so we implement
a hardware platform that is resilient and has a lot
of redundancy built in. As such, the first layer of
keeping an encryption key manager up and running
consistently is to have a good hardware platform or
run in the cloud.
BACKUP/RECOVERY, HIGH AVAILABILITY, AND MIRRORINGReal-time mirroring of keys and policy around keys is
critical for high availability and recovery. It is important
for key management servers to mirror keys between
multiple key managers over a secure and mutually
authenticated TLS connection for hot backup and
disaster recovery support. Organizations can choose
to mirror key managers on-premises, in the cloud,
or a hybrid of the two. If you have a failed server, a
hardware problem, or network outage, you should be
able to define fail-over servers and that will take place
in real time.
Alliance Key Manager fully supports resilience through
real-time mirroring. It is not an operating OS feature.
The key server itself has implemented this mirroring
capability. It is itself self-healing. So if two key servers
are mirroring to each other and the network goes
down, they will queue up those mirroring transactions,
and when the network comes back, it will re-commit
those changes. Alliance Key Manager is a robust
facility for making sure you have good backups of
your encryption keys.
ACTIVE MONITORINGActive monitoring is one of the core security
recommendations to help prevent unauthorized
access to sensitive systems and information. It
is a requirement of a wide variety of compliance
regulations such as PCI-DSS, HIPAA/HITECH Act,
and many others. From a security perspective, active
monitoring makes it into the SANS Top 20 list of things
you should do, and is a key recommendation from the
US Cyber Security teams.
Page 25
VENDOR CONSIDERATIONS
GENERALLY, THE CONSIDERATIONS FOR
sourcing encryption key management solutions for
VMware will be similar to any relationship you develop
with a vendor. The limited number of vendors in this
space can limit the choices you have, but there are
good solutions to choose from.
LICENSINGVendors take a variety of approaches to licensing
their key management solution. The main difference
is in licensing constraints on the VMware side. You
may start your first VMware encryption project with a
rather limited scope. But as you continue to encrypt
more sensitive data you may need to scale. Some
encryption key management vendors license software
based on the number of VMware instances that you
place under protection. Others provide unlimited
numbers of client-side licenses after you acquire the
key manager. Be sure you understand the licensing
terms of each solution you evaluate, and be sure to
understand your long-term needs.
You should not need to license every end point that
connects to the key server. The cost and complexity
of licensing all endpoints is unnecessary and can be a
huge barrier to getting data protection up and running
quickly across the organization. Some vendors
charge as much as $15,000 or more per connection.
These hidden costs quickly add up and make a
once-thought-of cost-effective solution an exorbitant
expenditure within their environment. You should look
for a key management solution that never:
• Charges you fees for connecting a new end-point
• Limits the number of end-points based on the
model of the key manager
• Limits the number of encryption keys generated or
stored
• Forces you to pay extra fees for software patches
• Forces you to pay extra fees for routine software
upgrades
DOCUMENTATIONDocumentation on your VMware implementation
will be crucial for long-term success. In addition to
documentation on the installation and configuration,
be sure your vendor provides documentation on
key rotation, applying patches to the key manager,
upgrading the key manager to new versions, and
problem determination. All of these aspects should be
covered in vendor documentation.
TRAININGWhile key management solutions have become much
simpler over time, you should still expect to receive
some operational and technical training from your
encryption and key management vendor. Gone are
the days when this meant a lot of on-site educational
expense. Modern encryption and key management
solutions may require only a short period of coaching
and training to deploy and maintain. Be sure your
encryption and key management vendor has a
program to deliver training in a timely fashion.
Page 26
VENDOR CONSIDERATIONS (CONT)
CUSTOMER SUPPORTMany businesses have devalued their customer
support experience, which can be a problem for all
key manager users. When you have a problem with
encryption or key management, it’s likely to affect your
application service levels. Before acquiring your key
management solution be sure to schedule time with
the customer support group. Do they have a formal
problem tracking system? Do you have access to all
problem tickets you raise? Does the customer support
group respond in a timely fashion? Is there a 24/7
response number? All of the normal customer support
questions you might ask are relevant to a VMware
key management solution. We all know what really
bad customer support looks like, so be sure there is a
good team standing behind the solution you deploy.
SERVICESThe modern enterprise is often geographically
distributed, which can make deployment and training
difficult. While VMware encryption key management
solutions can be simple to deploy and configure, you
may want to be sure your vendor can send staff on-
site for support.
“With VMware, businesses that want to
protect sensitive data can use encryption and key management to secure
data, comply with industry security standards, protect against data loss, and help prevent data breaches.”
Page 27
SUMMARY
VMWARE VIRTUALIZATION HAS BEEN A GAME-
changing technology for IT, providing efficiencies and
capabilities that have previously been impossible for
organizations constrained within traditional IT data
center worlds. With VMware, organizations are able
to reduce hardware costs, lower operational cost,
and gain a clear path to move to the cloud. With
the addition of encryption, you can deploy secure
environments where there is less risk of data loss in
the event of a breach.
The Alliance Key Manager client-side applications,
software libraries, and SDKs fully integrate with
Alliance Key Manager for key protection, and
work naturally with your SQL Server, MongoDB,
Windows, and Linux VMware VMs. The solution offers
unparalleled security, flexibility, and affordability for all
users of VMware Enterprise database. With no client-
side software to install, customers can deploy Alliance
Key Manager and install the PKI certificates on the
database server to easily begin retrieving encryption
keys.
By deploying as a virtualized encryption key manager,
enterprises are able to reduce hardware costs, lower
operational costs, minimize the IT footprint, and have
a clear path for a future move to the cloud. Using the
same FIPS 140-2 compliant technology that is in our
HSM and in use by over 3,000 customers, Townsend
Security’s Alliance Key Manager for VMware brings
a proven and mature encryption key management
solution to VMware environments with a lower total
cost of ownership.
The solution is available as a HSM, VMware
instance, and in the cloud (Amazon Web Services,
Microsoft Azure, IBM Cloud for VMware, and VMware
vCloud), allowing organizations to meet compliance
requirements (CCPA, PCI DSS, HIPAA, GDPR, etc.)
and security best practices. Townsend Security offers
a 30-day, fully-functional evaluation of Alliance Key
Manager.
SUPPORTED VERSIONS OF VMWAREAlliance Key Manager for VMware supports VMware
ESX, VMware vSphere, vSAN, and vCloud.
VMWARE TECHNOLOGY ALLIANCE PARTNERTownsend Security is an Advanced tier VMware
Technology Alliance Partner (TAP) and Alliance Key
Manager for VMware has achieved
VMware Ready status, and vSphere
and vSAN certification. This
designation indicates that after a
detailed validation process Alliance
Key Manager for VMware has
achieved VMware’s highest level of endorsement.
DATA CENTER
Page 28
“A very cost effective solution in terms of performance,
manageability, security, and availability. As a result, my company
was quickly able to implement full database encryption leveraging
the AKM as our key management solution in weeks. Comparable
solutions could have taken months.”- CERTAIN
ALLIANCE KEY MANAGER OFFERS
unparalleled security, flexibility and affordability for all
users of VMware. With no client-side software to in-
stall, customers can deploy the solution and install the
PKI certificates on the database server to easily begin
retrieving encryption keys.
Alliance Key Manager is FIPS 140-2 compliant and
in use by over 3,000 organizations worldwide. The
solution is available in VMware, as a hardware se-
curity module (HSM), and in the cloud (Amazon Web
Services, Microsoft Azure, and VMware vCloud).
Townsend Security offers a 30-day, fully-functional
evaluation of Alliance Key Manager.
30-DAY EVALUATION
ALLIANCEKEY MANAGER
REQUEST EVALUATION
• FIPS 140-2 and KMIP compliant enterprise key manager
• Available as an HSM, VMware, or in the cloud (AWS, Microsoft Azure)
• Affordably priced, with no restrictions on server connections or client side applications
• Meet compliance regulations like PCI DSS, HIPAA, GDPR, and more
ALLIANCE KEY MANAGER
Page 29
TOWNSEND SECURITY CREATES DATA PRIVACY
solutions that help organizations meet evolving
compliance requirements and mitigate the risk of data
breaches and cyber-attacks. Over 3,000 organizations
worldwide trust Townsend Security’s NIST and FIPS
140-2 compliant solutions to meet the encryption and
key management requirements in PCI DSS, HIPAA/
HITECH, FISMA, GLBA/FFIEC, SOX, GDPR and other
regulatory compliance requirements.
CONTACT TOWNSEND SECURITY
www.townsendsecurity.com
@townsendsecure
105 8th Ave SE, Suite 301
Olympia, WA 98501
360.359.4400
“Townsend is a full service security provider that remains on the cutting
edge and has demonstrated exceptional customer service.”
- CSU FRESNO
ABOUT TOWNSEND SECURITY