vmware encryption & key management · vmware vsphere encryption was first introduced in vsphere...

VMWARE ENCRYPTION & KEY MANAGEMENT

THE DEFINITIVE GUIDE

http://www.townsendsecurity.com

VMware virtualization has been a game-changing advancement for the IT industry. It has delivered efficiencies and capabilities that had previously been impossible for organizations struggling with constraints in the traditional IT data center world. When it comes to security, VMware is front and center in helping organizations secure their data from threats through encryption. One solution adds an important layer to VMware’s data security solution by giving enterprise organizations the ability to achieve the second critical function — manage their encryption keys. Use this guide to explore the key concepts of encrypting data in VMware and protecting encryption keys using a third-party enterprise encryption key management.

“

http://www.twitter.com/townsendsecure

http://www.facebook.com/townsendsecure

https://plus.google.com/u/0/b/100774940006821394878/?prsrc=3

http://www.linkedin.com/company/townsend-security

CONTENTS

Introduction 4

Why Encrypt in VMware 5

Deploying Encryption 7

VMware Encryption - A Unified Strategy for All Your Data 9

Components of a VMware Encryption Strategy 12

Deploying Key Management in VMware 13

NIST Standard AES Encryption 14

Encryption Key Management 15

Additional Key Management Standards & Validations 17

Compliance and VMware 18

Security Beyond Compliance 23

Critical Infrastructure 24

Vendor Considerations 25

Summary 27





INTRODUCTION

THE VMWARE STORY BEGAN IN 1998 WHEN FIVE

forward-thinking technologists launched an

innovative virtualized computing solution.

Shortly there after, it was the first commercially

successful company to virtualize x86 architecture.

Today VMware is a top-tier cloud computing and

virtualization provider, and a popular solution for

organizations moving to the cloud. VMware’s desktop

software runs on Microsoft Windows, Linux, and

MacOS, while its enterprise software hypervisor for

servers, VMware ESXi, is a bare-metal hypervisor that

runs directly on server hardware without needing an

additional underlying OS.

In our increasingly insecure cyber world, VMware

understands the critical nature of robust security

solutions, including encryption capabilities. However,

applying security in a VMware environment

introduces unique challenges. Principally, in these

environments, systems are no longer dedicated

or share a common physical architecture. They

also face unique security challenges related to

running data processing and storage in the cloud.

Questions around deployment and how to get the

most out of native encryption tools are often barriers

to implementation. These issues not only present

new risks for data breaches, but also open up

organizations a higher risk of non-compliance with an

expanding body of regulatory directives.

Due to these issues and others, security of sensitive

data stored and processed on VMware virtual

machines (VMs) and in the cloud is a critical concern

for many customers. VMware customers need strong

encryption and key management solutions that run

natively in their virtual environments and provably

meet compliance regulations.

VMware vSphere encryption was first introduced in

vSphere 6.5 and vSAN 6.6; enabling encryption both

in virtual machines (VMs) and disk storage. It only

requires the vCenter vSphere Server, a third-party

Key Management Server (KMS), and ESXi hosts to

work. It is standards based, KMIP compatible, and

easy-to-deploy.

To provide insight on how to best deploy encryption

and encryption key management in VMware, this

comprehensive guide overviews the landscape for

securing data in a virtual world.

eBook:The Definitive Guide to Encryption Key Management Fundamentals

DOWNLOAD

https://info.townsendsecurity.com/ebook-definitive-guide-to-encryption-key-management-fundamentals





WHY ENCRYPT IN VMWARE

ENCRYPTING VIRTUAL MACHINGES (VMS) IS AN

important step organizations take to protect their

confidential applications and data. Encryption is a

mechanism used to protect data by transforming it

into an unreadable format, so that it is completely

private from anyone not explicitly

approved to read it through

decryption. Gaining access to

encrypted information requires a

person or application to possess

the “key” to open the encryption

formula and convert the data back

to its original readable format. In

this way, encryption provides a fail-safe mechanism,

whereby, if all other cybersecurity measures fail

and data is stolen, the information is still protected

because it is unreadable and, therefore, useless to

the person or machine trying to access it. The data

remains secure and compliant. VMware provides

several options for deploying encryption functionality.

Townsend Security’s Alliance Key Manager is a FIPS

140-2 compliant enterprise key manager that helps

organizations meet compliance requirements and

protect private information. The symmetric encryption

key management solution creates, manages, and

distributes 128-bit, 192-bit, and 256-bit AES keys for

any application or database running on any enterprise

operating system. Townsend Security deploys ready-

to-use security applications for vSphere, MongoDB,

Microsoft SQL Server Transparent Data Encryption

(TDE) and Cell Level Encryption (CLE), Microsoft

SharePoint encryption, and other applications. We also

provide client side applications, SDKs, and sample

code free of charge. The solution can be deployed in

VMware, the cloud (AWS or Microsoft Azure), or as a

hardware security module (HSM).

PROTECTING VMS AT REST AND IN TRANSITOne of the advantages of VMs is that they are

portable. Pick up a VM image and you can run it on

any physical server. However, this also means anyone

who has access to the image also has access to its

files and data. VMs are also vulnerable when a running

machine is transferred to another server. Anyone who

has access to the network will also have access to

the VM and its data. When using VMware, you can

use encryption to protect your VMs both at rest and in

transit, just like any other data you store and transmit.

ENCRYPTION IN VMWAREVMware includes encryption in vSphere 6.5, making it

easy to encrypt without using third-party hardware or

software. The encryption features protect both VMDK

images and vMotion transfers of VMs. Encryption

is fully managed by the hypervisor, so keys are not

known to the VM and there’s no potential exploit in

the guest OS. With Alliance Key Manager, you can

implement vSphere encryption to protect the VMs

at rest, and also implement database encryption

to protect the database. In some cases, this will

mean multiple layers of encryption, but this provides

additional layers of security.

Encryption & Tokenization:

Key Management:

Secure Communications:

Logging:

Authentication

eBook

Podcast

Video

Blog

White Paper

Solution Brief/Data Sheet

Case Study

Resource Kit





ENCRYPTION KEYSEncrypting VMs relies on keys, so you need to have

and encryption key manager (software or hardware)

when using VM encryption. Without keys, encrypted

VM files cannot be read or

executed. When encrypting a VM,

the disk files, snapshots, swap

files, and dumps are all protected.

A few remaining configuration

and log files are not encrypted,

because they aren’t sensitive or

don’t support operations that have to execute the

encryption status of the disks. VMware does report

some minimal overhead from deploying decryption

operations. However, if performance remains a

concern, running it on servers that support AES-NI

instructions speeds up the encryption process.

When encrypting VMs on vMotion, a random one-

time key is generated and sent to the hosts involved

in the vMotion process. In this case, it’s not the

network that’s protected, but the VM itself. As a result,

snooping is not possible. Further, certificates are

not required, and users don’t need to worry about

network settings. Encrypted VMs require encrypted

vMotion, but you can use encrypted vMotion, even on

unencrypted VMs. To ensure high availability, VMware

uses automatic failover for key management through

the definition of vSphere KMS Clusters.

vSphere allows users to control whether encryption

is applied to a VM’s virtual disks or configuration files

through storage policies. You also have control over

who can manage the encryption in VMware. It isn’t

necessary, or even advisable, to grant encryption

privileges to every VM administrator. Restricting this

critical function enhances your security posture.

“Encrypting VMs relies on keys, so you need to have and encryption key

manager (software or hardware) when using VM encryption. Without keys,

encrypted VM files cannot be read or executed.”

WHY ENCRYPT IN VMWARE (CONT)

Encryption & Tokenization:

Key Management:

Secure Communications:

Logging:

Authentication

eBook

Podcast

Video

Blog

White Paper

Solution Brief/Data Sheet

Case Study

Resource Kit





DEPLOYING ENCRYPTION

HOW TO DEPLOY VSPHERE VM ENCRYPTIONWith vSphere 6.5 and above, you can now encrypt

your VMs to help protect sensitive data-at-rest and

to meet compliance regulations. vSphere encryption

allows you to encrypt existing virtual machines as well

as encrypt new VMs right out of the box.

Additionally, vSphere VM encryption not only protects

your virtual machine but can also encrypt your other

associated files. So, how does vSphere encryption

work?

• First, install and configure your KMIP compliant key

management server (KMS), such as our Alliance Key

Manager, and register it to the vSphere KMS Cluster.

• Next, you must set up the KMS cluster. When you

add a KMS cluster, vCenter will prompt you to make

it the default. vCenter will provision the encryption

keys from the cluster you designate as the default.

• Then, when encrypting, the ESXi host generates

internal DEKs to encrypt the VMs, files, and disks.

• The vCenter Server then requests a key from

Alliance Key Manager. This key is used as the KEK.

• ESXi then uses the KEK to encrypt the DEK and only

the encrypted DEK is stored locally on the disk along

with the KEK ID.

• The KEK is safely stored in Alliance Key Manager.

ESXi never stores the KEK on disk. Instead, vCenter

Server stores the KEK ID for future reference. This

way, your encrypted data stays safe even if you

lose a backup or a hacker accesses your VMware

environment.

VSPHERE VM ENCRYPTION BEST PRACTICESVMs are a powerful tool that helps

you realize greater IT efficiencies,

reduced operating costs, and

achieve unmatched flexibility.

Because of this, organizations

typically have mission-critical

information in VMs. This means that getting encryption

right the first time is paramount.

• As you begin your VM encryption project, keep

these in mind to avoid some of the common pitfalls:

• Do not encrypt any vCenter Server Appliance VMs.

These are vital to the functioning of VMware and

should never be encrypted.

• Do not edit either VMX files or VMDK descriptor

files as they contain the encryption bundle. Your

changes may make the VM unrecoverable.

• Always designate a high availability failover key

manager in your KMS cluster. If your primary key

server goes down with no failover key server in

place, your encrypted VMs will be unable to be

decrypted.

• Once you name your key management server

(KMS) cluster, do not rename it. If you change the

name of the KMS cluster (one that is in use), the ESXi

host will be unable to find the KMS and a VM that is

encrypted with a key encryption key (KEK) from that

KMS will be unable to be decrypted.

• Once you encrypt a virtual machine, you cannot

relocate the VM to a host that does not have the

key ID information. Only a ESXi host with the key

ID information for that VM can properly locate the

encryption key for decryption.





HOW TO DEPLOY VSAN ENCRYPTIONvSAN encryption is easy to enable and use. This

means that securing your sensitive data with AES

encryption is not a time-intensive task. To prove the

point, here is a quick guide to getting encryption up

and running for your vSAN clusters:

• First, install and configure your key management

server (such as our Alliance Key Manager) and add

its network address and port information to the

vCenter KMS Cluster.

• Then, you will need to set up a domain of trust

between vCenter Server, your KMS, and your vSAN

host.

• You will do this by exchanging administrative

certificates between your KMS and vCenter Server

to establish trust.

• Then, vCenter Server will pass the KMS connection

data to the vSAN host.

• From there, the vSAN host will only request keys

from that trusted KMS.

• The ESXi host generates internal keys to encrypt

each disk, generating a new key for each disk.

These are known as the data encryption keys, or

DEKs.

• The vCenter Server then requests a key from the

KMS. This key is used by the ESXi host as the key

encryption key, or KEK.

• The ESXi host then uses the KEK to encrypt the DEK

and only the encrypted DEK is stored locally on the

disk.

• The KEK is safely stored separately from the data

and DEK in the KMS.

• Additionally, the KMS also creates a host encryption

key, or HEK, for encrypting core dumps. The HEK is

managed within the KMS to ensure you can secure

the core dump and manage who can access the

data.

That’s it! VMware has made encrypting your data in

vSAN both simple and secure.

VSAN ENCRYPTION BEST PRACTICESvSAN is powerful hyper-converged infrastructure that

offers you greater performance and high scalability.

vSAN encryption is easy to deploy but does have a

few considerations in order to avoid issues down the

road. Before you begin your vSAN encryption project,

consider these VMware best practices:

• Do not deploy your KMS server on the same vSAN

datastore that you are encrypting. This will encrypt

your key managers and in some cases render them

useless in recovery scenarios.

• Encryption can be CPU intensive. For vSAN

encryption, make sure AES-NI is enabled. It can

significantly improve encryption performance.

• You should ensure that your Core dumps are

encrypted. They can contain sensitive information

such as encryption keys.

• When you decrypt a core dump, you should handle

it as if it contains sensitive information. Core dumps

may contain encryption keys either for the vSAN

host and/or the data on it.

DEPLOYING ENCRYPTION (CONT)





VMWARE ENCRYPTION - A UNIFIED STRATEGY FOR ALL YOUR DATA

VMWARE ENCRYPTION ALLOWS ORGANIZATIONS

to uniformly manage their encryption for both VMs

and vSAN and ensure that all sensitive data within

VMware is secured; enabling them to create a unified

encryption strategy for their sensitive data. Let’s

look at some of the main advantages that VMware

encryption

provides:

• Encryption is

configured and

managed at

the hypervisor

level, not within

an individual

VM or vSAN

cluster.

• vSphere

encryption

is agnostic

in regards to

what is stored.

• There are not multiple encryption products for each

guest OS, database, or application.

• Encryption is policy based. Applying it, then, can be

done to as many or few VMs or vSAN clusters that

you want.

• You can bring your prefered key manager to

manage your encryption keys. Since vSphere

encryption is KMIP 1.1 compatible, you are free to use

a FIPS 140-2 compliant encryption key manager, like

Alliance Key Manager.

This is also good news if you have databases that

do not have easy-to-deploy encryption or their

encryption involves a costly upgrade. With VMware,

transparent data encryption comes standard and

ready-to-use. If you have sensitive data, VMware

has an easy, secure, and standards based way to

encrypt it.

That being

said, your data

doesn’t just

live in one

environment.

When

choosing which

third-party

encryption key

management

vendor to

protect your

VMware

encryption, you should also think about your

sensitive data everywhere. The ideal key

management solution provides high availability,

standards-based enterprise encryption key

management to a wide range of applications and

databases.





MICROSOFT SQL SERVERIn Standard edition before

2019, you’ll need to encrypt

at the application level or

with a third-party encryption

solution. In Enterprise

edition starting in 2008 and

in Standard edition 2019,

SQL Server has Transparent Data Encryption (TDE),

Cell Level Encryption (CLE), and Extensible Key

Manager (EKM). EKM enables SQL Server to utilize

EKM providers offered by third-party encryption key

management vendors. Townsend Security has an EKM

provider.

You need three things to properly protect sensitive

data: A key management solution to protect the

critical encryption keys, an encryption solution for the

SQL Server database, and they have to talk to each

other. For the first part, the Alliance Key Manager for

VMware solution provides a fully functional, enterprise

key management solution that protects SQL Server

databases. For encrypting SQL Server, the Alliance

Key Manager solution comes with a full Microsoft SQL

Server Extensible Key Management Provider, called

Key Connection for SQL Server.

MONGODBMongoDB offers AES

encryption as part of the

WiredTiger Storage Engine

in the Enterprise edition of their offering. There

are two options for storing encryption keys: In the

database, in the clear; Or by using KMIP and a key

manager (MongoDB strongly recommends the use of

a key management solution). Alliance Key Manager

is certified by MongoDB for use with the MongoDB

Enterprise database to protect data-at-rest.

MYSQLMySQL Enterprise provides

encryption support directly

in the database engine using

industry standard 256-bit AES

encryption. It allows MySQL

Enterprise customers to meet

a wide variety of compliance regulations including PCI

DSS, GDPR, CCPA, HIPAA, FISMA, and many others.

For encryption key management MySQL recommends

the use of an external encryption key management

solution like Alliance Key Manager, and uses the

industry standard Key Management Interoperability

Protocol (KMIP) to access encryption keys.

WEB APPLICATIONS

DRUPALThere is no native encryption in Drupal

core. Users need to install modules, such

as Key, Encrypt, and Townsend Security’s

Key Connection For Drupal to encrypt

private data in Drupal.

A UNIFIED STRATEGY FOR ALL YOUR DATA (CONT)





WORDPRESSAs with Drupal, WordPress does not

come with native encryption. But, there

are plugins that not only provided 256 bit

AES encryption but the means to properly

manage the keys.

WINDOWS IISEncryption needs to be done at the

application level. This can be facilitated

through the use of the Alliance Key

Management Windows .NET SDK.

SOFTWARE DEVELOPER KITS (SDKS)

JAVA, .NET, PHP, PYTHON, PERL, ETC.

VMware offers release notes, developer guides, API

references, and other documentation for current and

past versions of API and SDK

sets. Businesses who aren’t able

or don’t want to encrypt at the

database level have options to

encrypt at the application level.

Good key management vendors

(such as Townsend Security)

offer SDKs and sample code to make encryption at

the application level easy.

WINDOWSAlliance Key Manager protects Windows .NET Client

software with encryption and key management for

applications. You can add the Townsend Security

Windows .NET Client Assembly to your Windows

projects to encrypt data at the application level.

LINUXLinux applications use a variety of database and

storage methods that include MySQL, MongoDB,

PostgreSQL, Amazon S3 and RDS, and many others.

Like any application deployed on any operating

system and storage mechanism, Linux applications

need to protect sensitive data at rest using strong

encryption.

A UNIFIED STRATEGY FOR ALL YOUR DATA (CONT)

“Townsend Security collaborates with

developers and IT professionals around

the world. We know that developers use a wide

variety of languages and platforms to accomplish

their work.”





COMPONENTS OF A VMWARE ENCRYPTION STRATEGY

COMPONENTS OF A VMWARE ENCRYPTION STRATEGYThe most effective way to secure data and ensure

a company’s integrity is to deploy encryption. For

any encryption deployment, there are two major

components:

1. Encryption of the sensitive data, usually in a

Windows or Linux VM

2. Protection of the encryption keys through

robust key management solutions

vSphere VM and vSAN encryption enables creation of

encrypted VMs or virtual disk storage and can encrypt

existing VMs, along with virtual disks, and host core

dump files. Because all files that contain sensitive

information are encrypted, the entire VM or virtual

disk is protected. Only administrators with encryption

privileges can perform encryption and decryption

tasks. Some files associated with a VM or virtual disk

are not encrypted or are partially encrypted, because

they don’t contain sensitive information, including log,

VM configuration, and virtual disk descriptor files.

Three major components are used for encryption

in VMware: a Key Management Server, a VMware

vCenter Server®, and ESXi Hosts.

KEY MANAGEMENT SERVER (KMS)Encryption key management is the method used

to protect and manage your encryption keys. The

vCenter Server instance requests keys from an

external KMS. The KMS generates and stores key

encryption keys KEKs and passes them to the vCenter

Server instance for distribution. As a KMIP client, the

vCenter Server system uses that protocol to facilitate

use of the chosen KMS.

VMWARE VCENTER SERVER®The vCenter Server instance obtains keys from the

KMS and transfers them to the ESXi hosts. It does not

store or persist the KMS keys, but keeps a list of key

IDs. The vCenter Server system checks the privileges

of users who perform cryptographic operations.

VMware vSphere Web Client assigns cryptographic

operation privileges and limits the users who can

perform these operations. The vCenter Server system

adds cryptography events to the list of events that can

be viewed and exported from the vSphere Web Client

event console. Each event includes the user, time, key

ID, and cryptographic operation.

ESXI HOSTSThe ESXi host is responsible for several aspects of the

encryption workflow:

• Performs the encryption of VM disks

• Ensures that guest data for encrypted VMs is

not sent over the network without encryption

Encryption is performed by the industry-standard

OpenSSL libraries and algorithms. VM encryption does

not impose any new hardware requirements, but uses

a processor that supports the AES-NI instruction set to

accelerate encryption and decryption operations.





DEPLOYING KEY MANAGEMENT IN VMWARE

1] Identify and document trusted and un-trusted

applications.

Properly identifying application groups based on the

level of trust is critical for a secure implementation

of virtualized applications and encryption key

management services.

2] Restrict physical access.

Fundamental to all IT security implementations is

proper security of the physical environment. This

means proper physical security controls and data

center monitoring, as well as robust auditing and

procedural controls. These physical controls should

also apply to VMware management and security

applications access.

3] Isolate security functions.

Because security applications are often a target of

cyber-criminals, you should isolate them into their own

security workgroup and implement the highest level of

VMware security. Only trusted VMware administrators

should have access rights to the encryption key

management solution, system logs, and audit reports.

Actively monitor access to and use of all encryption

key management, key retrieval, and encryption

services.

4] Change VMware default passwords.

Review all VMware applications used to secure and

manage your VMware environment and change the

default passwords as recommended by VMware.

Failure to change default passwords is one of the

most common causes of security breaches.

5] Implement network segmentation.

You should implement network segmentation to

isolate applications that process sensitive information

from applications that do not require as high a level

of trust. Additionally, you should provide network

segmentation for all third-party security applications,

such as your encryption and key management

solution. Network segmentation is easy to

accomplish with VMware network management and

security applications. Do not rely on virtual network

segmentation alone; use firewalls that are capable of

properly securing virtual networks.

6] Implement defense in-depth.

VMware management and security applications

provide for a high level of security and monitoring.

They also include hooks and integration with third-

party security applications that provide system log

collection, active monitoring, intrusion detection, etc.

7] Monitor VMware admin activity.

Use an appropriate SIEM solution to collect VMware

application and ESXi hypervisor system logs and

perform active monitoring. The log collection and

SIEM active monitoring solutions should be isolated

into a security workgroup that contains other third-

party security applications, such as Townsend

Security’s Alliance Key Manager.





WHEN EVALUATING YOUR VM SOLUTION

When evaluating both your encryption and key

management solutions, it’s important to look for

certain certifications and validations.

One of these is from National

Institute of Standards and

Technology (NIST): NIST

FIPS-197 which validates

AES encryption. Why is

verifying that your data is secured with AES encryption

important? AES encryption uses a single, randomly

generated key as a part of the encryption/decryption

process and goes through up to 14 steps to encrypt

the plaintext. This means that the only way to feasibly

attack AES encryption is to guess or steal the

encryption key. Given that the fastest computer would

take billions of years to run through every permutation

of a 256-bit AES key, the only reasonable way to

break AES encryption is to steal the key.

That is why VMware also requires that you manage

encryption keys according to NIST guidelines:

ENCRYPTION KEY MANAGEMENTFIPS 140-2 certification

ensures that the key

management software

has been tested by

third parties to meet the

highest standards in key management technology, so

you can establish strong key management. VMware

NIST STANDARD AES ENCRYPTION

OpenSSL FIPS Object Module meets the security

requirements of Federal Information Processing

Standards (FIPS) Publication 140-2, which details the

U.S. and Canadian Government requirements for

cryptographic modules. For VMware customers, FIPS

140-2 compliant encryption and key management are

a key defense for data security.

CONTINUOUS MONITORINGRecognizing that each organization must take

responsibility for its data no matter where it resides,

the NIST standard calls for continuous monitoring

of key management. This requires organizations to

continuously monitor their environments to ensure

their infrastructure, applications, and data remain in a

secure state. VMware’s security functionality supports

continuous monitoring.

AUDITINGThe NIST standard calls for auditing to bring

transparency to security operations. Your key

management solution needs to support active

collection and monitoring of audit and OS logs. The

logs should integrate with your log collection and

SIEM active monitoring systems. Built-in logging

allows administrators to track all key retrieval, key

management, and systems activity. In VMware,

reports can be sent automatically to a central log

management database or SIEM products for a timely

and permanent record of activity. A KMS should audit

all administrative and user functions, including both

successful and failed operations, for security-relevant

events. This includes detecting and recording the

events, date and time of the events, and the identity or

role of the entity initiating the events.





EncryptionKey

Lifecycle

Key Generation

Pre-Activation

Activation

Expiration

Post-Activation

Escrow

Destruction

ONCE DATA IS ENCRYPTED, YOUR PRIVATE

information depends on enterprise-level key

management to keep that data safe. Without key

management, encryption stands alone as only half

of a solution. Encryption key management involves

administering the full lifecycle of cryptographic keys

and protecting them from loss or misuse. Protection

of the encryption keys includes limiting access to

the keys physically, logically, and through user/role

access.

ENCRYPTION KEY LIFECYCLEA critical administrative component to encryption key

management is the ability to manage the complete

encryption key lifecycle. NIST defines all stages

of a key’s lifecyle, including key generation, pre-

activation, activation, distribution, revocation, post-

activation, backup, escrow, and deletion. Through an

administrative console, security administrators should

be able to implement controls that allow access to

keys by designating key users or user groups. They

should also be able to set automatic key rotation

policies, so that keys are retired and rolled over after

any period of time. These controls help organizations

ENCRYPTION KEY MANAGEMENT

meet data security requirements for some regulated

industries. For example, the PCI DSS outlines key

management requirements for cardholders or

processors that can typically only be met using an

enterprise-level encryption key management solution.

POLICY-BASED CONTROLSBeyond managing the key lifecycle, an enterprise key

manager should actively audit and log all activity and

functions performed on the key management server,

and record these logs to an external event monitoring

or logging server so that malicious activity can be

detected in real time. Your key management solution

should be compatible with common event-monitoring

solutions and export logs in standardized formats in

real-time. Also, your key management solution should

also inherently enforce policy-based security functions

that meet key management best practices such as

separation of duties and dual control.

SEPARATION OF DUTIESSeparation of duties ensures that no single person

controls multiple key management procedures and

subsequent distribution of an encryption key. The

person requesting the key and the person managing

the key should be two different people. Dual control

prevents any single person from controlling a key

management process. For example, two security

administrators should be required to authenticate

access to the key server. While these policy-based

controls are sometimes optional, they should always

be available and easy to implement in your encryption

key management solution.





BEST PRACTICES FOR KEY PROTECTIONThere are several key management best practices

that will ensure optimal key management performance

and enforcement. On a technological and physical

level, encryption keys should be stored in a logically

or physically separate hardware or virtual key server,

dedicated to performing only key management

activities. The key manager should house a FIPS

140-2 validated pseudo-random number generator

to create new keys and store those keys in a

secure key database. Once generated and in use,

encryption keys should be distributed for use over a

secure Transport Layer Security (TLS) session using

certificates to authenticate the user requesting the

encryption key.

Also, enterprise key managers should perform

real-time backup and high availability functions to

prevent downtime and ensure business continuity.

To accomplish this, each key server should perform

active-active mirroring to one or more high availability

servers as well as perform routine, automated

backups to secure storage drives.

ENCRYPTION KEY MANAGEMENT (CONT)

“When you leave the keys to unlock your sensitive business and customer

data exposed, then you expose your entire

organization to the risk of data loss or theft.”





ADDITIONAL KEY MANAGEMENT STANDARDS AND VALIDATIONS

KEY MANAGEMENT INTEROPERABILITY PROTOCOL (KMIP)VMware allows users to manage encryption keys

using a third-party key management vendor through

a standard key management protocol called KMIP.

All of VMware’s KMS

Certification tests

contained in KMS

plug-ins verify that

the vendor’s KMIP

KMS works with vSphere storage encryption feature

and vSAN virtual disk. Testing consists of verifying the

correct behavior of a KMS, ensuring that it does not

introduce undesirable impacts on the operation of the

system. VMware supports two types of KMIP:

Switch-Based Encryption

With this method, the data leaves the host and travels

in the clear until it reaches a switch, which then

performs the encryption before sending the data on to

the storage array. The switch might be a Fibre Channel

switch or, in the case of NFS, a network switch. The

switch typically also integrates with an external, KMIP-

compliant key manager.

Array-Based Encryption

With array-based encryption, the controller in a

storage array encrypts the data as it is written to

the disks. Encryption can be performed via custom

application-specific integrated circuits (ASICs) in

hardware or software. In both cases, key management

can be achieved via an onboard key manager or

through the use of an external KMIP-compliant key

manager.

PCI DATA SECURITY STANDARD (PCI DSS)VMware meets the standards of the PCI DSS, which

was developed to encourage and enhance cardholder

data security and facilitate the broad adoption of

consistent data security measures globally. For

VMware users who need to meet compliance, Alliance

Key Manager has been validated for PCI DSS in

VMware by Coalfire, a PCI-qualified QSA assessor and

independent IT and audit firm. Additionally, Alliance

Key Manager for VMware can also help businesses

meet other compliance regulations such as CCPA,

HIPAA, GLBA/FFIEC, FISMA, etc.





COMPLIANCE & VMWARE

FOR MANY BUSINESSES, STORING OR

processing credit card numbers, financial information,

healthcare data, and other personally identifiable

information (PII) in a virtual, shared environment is

the norm. The challenge is meeting data security

requirements and preventing unwanted access to

sensitive data. The lack of compliance and failure

to implement and execute a well-planned security

strategy may lead to a breach in security resulting in

data spillage, data compromise, loss of data integrity,

loss of customer trust, legal actions, revenue loss, and

even loss of business.

Industry and regulatory compliance standards help

protect computing assets from multiple security

vulnerabilities and misconfigurations, and minimize the

risk in execution environments, such as development,

test, and production.

With VMware, organizations that want to protect

sensitive data can use encryption and key

management to secure data, comply with industry

security standards, protect against data loss, and

help prevent data breaches. When considering

encryption options, organizations must consider both

governmental and private compliance regulations

that require them to protect sensitive information.

Most regulations require proper protection of PII. For

example, the European Union General Data Protection

Regulation (GDPR) imposes multiple demands upon

global companies to protect the personal data of all

European Union (EU) residents. The Payment Card

Industry Data Security Standards (PCI DSS) requires

that credit card numbers be encrypted in storage. The

Health Insurance Portability and Accountability Act

and Health Information Technology for Economic and

Clinical Health Acts (HIPAA/HITECH) require protection

of Electronic Protected Health Information (ePHI).

These are just three of the many compliance

regulations that today’s organizations must consider

in their cybersecurity programs to ensure that they

are in continual compliance with all of the relevant

regulations as they change and expand.

VMWARE AND GDPRIn response to escalating external and internal threats

and uncertainty, lawmakers and regulators around

the world have been strengthening their data security

compliance requirements, implementing new legal

frameworks and levying higher noncompliance

penalties. This places organizations at tremendous

risk for compliance violations, along with the resulting

fines and remediation costs. On May 25th, 2018, the

European Union made securing citizens’ data an

even bigger challenge for companies doing business

that involves handling their citizens’ data. That was

launch day for the new European Union General Data

Protection Regulation (GDPR).





COMPLIANCE & VMWARE (CONT)

The GDPR attempts to unify data protection laws

in Europe and ensure that citizens’ rights and

protections have a global impact. One area of

concern for EU countries, among many, is the fact

that U.S.-based cloud vendors can be subpoenaed

by U.S. governments to provide access to specific

information, even if it resides outside of the U.S. With

this regulation, every organization will be forced to

comply or face penalties, including damaging fines

and even losing the opportunity to work within the

EU. Specifically, the GDPR’s “right to be forgotten”

rule provides individuals with specific rights to control

the processing of their personal data and sets a new

standard for protection of an individual’s personal

data. Among the EU regulations is the rule that all

customer and employee data must not be accessible

to anyone outside of their home legal jurisdiction,

except when given explicit consent on a per usage

basis.

VMware Cloud on AWS, as an example, has been

independently verified by Schellman & Company,

LLC, to comply with the GDPR. In the language of the

GDPR, when providing services to its customers via

the VMware Cloud on AWS service offering, VMware

is acting as a “data processor.” VMware’s customers

may perform customer-defined data processing

activities in relation to their own data within the

services and, in doing so, act as “data controllers.”

Data controllers may only appoint data processors

who provide sufficient guarantees to implement

appropriate technical and organizational measures to

ensure processing meets GDPR’s requirements. GDPR

also requires resilient and recoverable architectures to

prevent unavailability of data. To support this directive,

key managers should implement HA services to

ensure high availability.

Encryption and key management can help meet

GDPR’s privacy requirements, as well as citizens’

right of erasure (right to be forgotten). While the EU

does not mandate that all organizations encrypt

sensitive data, there is an exclusion for subject data

breach notification and financial penalties for those

organizations that use encryption and other security

methods to protect the data. Thanks to VMware’s

wide-ranging focus on security, implementing

encryption and key management tools will help users

meet requirements for GDPR.

VMWARE AND PCI DSSWith all of the security breaches in the news and

the occurrence of these incidents becoming more

widespread, how can you ensure that your customers’

credit card information remains secure? This is the

purpose of Payment Card Industry Data Security

Standard (PCI DSS), which impacts all merchants who

accept credit cards. PCI DSS requires merchants to

protect sensitive cardholder information from loss,

and use good security practices to detect and protect

against security breaches. PCI DSS is applicable to all

types of environments that store, process, or transmit

cardholder data. This includes information such as

2

PCI DSS Prioritized Approach for PCI DSS 3.2

© 2016 PCI Security Standards Council LLC. The intent of this document is to provide supplemental information, which does not replace or supersede PCI SSC Security Standards or their supporting documents.May 2016

Disclaimer

To achieve PCI DSS compliance, an organization must meet all PCI DSS requirements, regardless of the order in which they are satisfied or whether the organization seeking compliance follows the PCI DSS Prioritized Approach. This document does not modify or abridge the PCI DSS or any of its requirements, and may be changed without notice. PCI SSC is not responsible for errors or damages of any kind resulting from the use of the information contained herein. PCI SSC makes no warranty, guarantee, or representation whatsoever regarding the information provided herein, and assumes no responsibility or liability regarding the use or misuse of such information.

Milestones for Prioritizing PCI DSS Compliance Efforts

The Prioritized Approach includes six milestones. The matrix below summarizes the high-level goals and intentions of each milestone. The rest of this document maps the milestones to each of all twelve PCI DSS requirements and their sub-requirements.

Milestone Goals

1

Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it

2Protect systems and networks, and be prepared to respond to a system breach. This milestone targets controls for points of access to most compromises, and the processes for responding.

3Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data.

4Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment.

5Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data.

6Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements, and to finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.

PCI SSC FOUNDERS

PARTICIPATING ORGANIZATIONS

Merchants, banks, processors, developers and point of sale

vendors

PCI DSS COMPLIANCE IS ACONTINUOUS PROCESS

ASSESS

REMEDIATEREPORT






Primary Account Numbers (PAN). PCI DSS Section 3

outlines requirements for encryption/key management

protocols.

Even with this mandatory requirement, a vast

majority of organizations still struggle to maintain PCI

compliance, and the process is costing companies

a great deal both to address the root cause of PCI

audit failures and in, often severe, non-compliance

fees. By proactively assessing their weakness around

PCI compliance, and installing the cybersecurity

solutions that can mitigate data breaches, companies

will ensure their own data security and, therefore,

compliance.

For these reasons, VMware offers a wide range

of cybersecurity services and documentation to

support and help organizations secure their data. For

example, VMware has enlisted its Audit Partners, such

as Coalfire, a PCI DSS-approved Qualified Security

Assessor, to engage in a programmatic approach

to evaluate VMware products and solutions for PCI

DSS control capabilities, and then to document

these capabilities in a set of reference architecture

documents.

VMware also provides customers with access to

vRealize Air Compliance, which assesses VMware

vSphere-based virtualized environments according

to specific compliance standards and risk profiles.

Some of the available standards and profiles include

multiple versions of the VMware vSphere Hardening

Guide, PCI DSS 3.2, and HIPAA technical safeguards.

Users can continuously assess their vCenter Server

instances, ESXi hosts, VMs, and distributed port

groups to ensure that they comply with the technical

controls defined in the industry standards.

From a high level, the VMware software-defined

data center (SDDC) provides software-defined

infrastructures, software-defined networking, and

management and security technologies capable of

supporting, adhering to, and/or addressing control

objectives relevant to PCI DSS to enable platform

support of cardholder data environments (CDE).

VMware EUC provides secure delivery mechanisms

for any application, to any device, anywhere. Further,

VMware’s vast network of partners provides added

value with technologies capable of being inserted

seamlessly and holistically to address additional

requirements and enhance security.

PRODUCT APPLICABILITY GUIDE FOR PCI DSS Working with Coalfire, a PCI-qualified QSA assessor and independent IT audit firm, we have released our PCI DSS Product Applicability Guide.

DOWNLOAD

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0

April 2015 v1.0

Product Applicability Guide





https://info.townsendsecurity.com/vmware-pag


VMWARE AND HIPAAThe Health Insurance

Portability and Accountability

Act and Health Information

Technology for Economic

and Clinical Health Act (HIPAA/HITECH) outlines data

security regulations for the healthcare industry. While

the HIPAA/HITECH does not specifically require

encryption of sensitive data, a backdoor “safe harbor”

mandate states that if a healthcare organization or

one of its Business Associates (BA) does experience a

data breach, and Protected Health Information (PHI) is

not obscured using encryption or some other method,

then that organization will be heavily penalized.

This is especially important when the outcomes for

noncompliance are extremely critical due to civil

and criminal penalties imposed by the Office for

Civil Rights (OCR) Department of Health and Human

Services (HHS), and the U.S. Department of Justice

(DOJ). What’s more, there is a high probability for

collateral impact due to failure to protect patient

privacy, institutional trust, and economics. In extreme

cases of breach or data loss, the fines and penalties

are minor compared to the potential for litigation,

recompense, and public relations improvements.

Compliance with the HIPAA Security Rules and

HIPAA Privacy Rules for Electronic Protected Health

Information (ePHI) requires the use of many security

technologies and best practices to demonstrate

strong efforts towards complying with this federal

regulation. The ability to effectively secure ePHI and

audit IT and security operations may involve both

strong encryption and real-time and historical activity

logs that relate to many systems.

VMware recognizes the following as critical areas

that must be addressed by each covered entity

and BA in the operation of healthcare information

systems: security and compliance, the criticality

and vulnerability of the assets needed to manage

ePHI infrastructures, and the risks to which they are

exposed. This approach provides management, IT

architects, administrators, and auditors with high

degrees of transparency into risks, solutions, and

mitigation strategies for moving critical applications

to the cloud in secure and compliant ways. By

standardizing an approach to compliance and

expanding the approach to include partners, VMware

provides its customers a proven solution that more

fully addresses their compliance needs.

Organizations can reduce the complexity and

cost of HIPAA Security Rule compliance by

replacing traditional non-integrated products

with integrated solutions. To further address this

gap, VMware, together with the VMware partner

ecosystem delivers compliance-oriented integrated

solutions, enabling compliance by automating the

deployment, provisioning, and operation of regulated

environments. In this way, VMware provides the

solution reference architecture, HIPAA Security

Rule specific guidance, and software solutions that

businesses require to achieve continuous compliance,

along with speed, efficiency, and agility for their

applications.






VMWARE AND CALIFORNIA CONSUMER PRIVACY ACT (CCPA)Do I need to comply? If you collect data on people

who are in California, and meet the minimum criteria

(see below), and are not explicitly excluded, you must

meet the requirements of the new law. Notice, this

does not just apply to “California citizens”, but people

who are in the state at the time of data collection. You

are not exempt if your organization resides outside of

California. If you collect data on people in California,

assume you are covered by the law.

If you meet any of these criteria, you are required to

meet the new CCPA law:

• You have $25 Million or more in annual revenue

• You collect information on 50,000 or more people

• You derive 50 percent or more of your revenue

selling personal information to third parties

The law applies to both public and private

organizations. There are some exclusions in the law:

If your organization is already covered by equivalent

privacy regulations such as HIPAA, GLBA, and others,

you may be exempt. Don’t be fooled into a sense

of complacency about this. The CCPA has privacy

regulations that are not covered under those laws.

If you think you are exempt, get legal advice on this

point.

What information does it cover? The personal

information covered by the CCPA is quite broad and

extends into areas not covered under GDPR and

other regulations. The current definition of sensitive

consumer data includes:

• Identifiers such as a real name, alias, postal

address, unique personal identifier, online identifier

IP address, email address, account name, Social

Security number, driver’s license number, passport

number, or other similar identifiers.

• Personal and commercial behaviors, and inferences

from them.

• Characteristics of protected classifications under

California or federal law

• Commercial information including records of

personal property, products or services purchased,

obtained or considered, or other purchasing or

consuming histories or tendencies

• Biometric information

• Internet or other electronic network activity

information including, but not limited to, browsing

history, search history and information regarding a

consumer’s interaction with a website, application or

advertisement

• Geolocation data

• Professional or employment-related information

• Education information

Am I required to encrypt sensitive data? If you want

to avoid the risk of direct or class action litigation

related to data loss you should encrypt the sensitive

data. Individual and class action litigation only applies

to unencrypted sensitive data that is disclosed or lost.

The CCPA is clear on the need for encryption. If you

lose unencrypted sensitive data this is direct evidence

that you violated your duty to provide reasonable

security procedures and practices to protect the

sensitive information. See section 1798.150(a)(1).





ALONG WITH REGULATORY COMPLIANCE, THERE

are many other reasons to optimize data security

in VMware — including intellectual property and

reputation protection.

INTELLECTUAL PROPERTY PROTECTION (IP)Whether it’s the plans for a new

product, proprietary schematics

for an existing product, or

information that exposes

your business processes,

your business has a lot of IP

information you want kept secret.

Most companies place a priority

on protecting PII, PHI, or CHD. But there is a lot of

other information that could hurt, even cripple your

company, should it get out. In fact, Deloitte estimates

that IP data can constitute more than 80 percent of an

enterprise company’s value.

That is why encryption should be thought of as a

company wide initiative. Below is a short (and certainly

not exhaustive) list of items that your company should

be encrypting:

• Product/Solution Documents: If you rely on

proprietary information to give you a competitive

advantage in the marketplace, you need to encrypt

any information that would give your competition a

window into how your products or solutions work.

• Research and Development (R&D) Data: In the

same vein, any R&D you are conducting is your

SECURITY BEYOND COMPLIANCE

advantage in tomorrow’s competitive landscape.

Don’t let it be stolen from you because you did not

properly secure it.

• Financial Reports: Most companies would love

to spy on their competitors financial statements.

Encrypt anything that could give you current financial

position away.

• Legal Documentation: There is a lot of

documentation, that if made public, could tarnish a

company’s reputation. You and your company need

full confidence that what happens in the boardroom

or HR office stays there.

REPUTATION PROTECTIONA study sponsored by VMware

and conducted by The

Economist Intelligence Unit

(EIU) found that reputational

risk was C-suite executives’

greatest cybersecurity concern.

A company or organization’s brand is the most

valuable asset, because it touches all aspects of the

enterprise, including growth and revenue. Further, the

negative perception extends to a company’s products

and services. Cyber attacks are also damaging to a

company’s reputation, because it is not contained to

the company itself — attacks also expose customers

to the risk of identity theft or financial losses. Brand

reputation is a fragile asset that, when compromised,

is not easy to fix. It can take decades to build your

reputation and consumer trust.





CRITICAL INFRASTRUCTURE

WITH ALLIANCE KEY MANAGER, WE HAVE DONE

a lot to help companies deal with the concern about

resilience of a key manager, because it is critical

infrastructure including the following:

HARDWARE AND SOFTWARE RESILIENCEIf you are properly protecting keys, an encryption

key management solution becomes a part of your

critical infrastructure. But if your key manager goes

down, your applications stop functioning until you

have key management back up. Alliance Key Manager

addresses those concerns in a number of ways. One

way is that the key manager is built for redundancy.

We know that hardware can fail, so we implement

a hardware platform that is resilient and has a lot

of redundancy built in. As such, the first layer of

keeping an encryption key manager up and running

consistently is to have a good hardware platform or

run in the cloud.

BACKUP/RECOVERY, HIGH AVAILABILITY, AND MIRRORINGReal-time mirroring of keys and policy around keys is

critical for high availability and recovery. It is important

for key management servers to mirror keys between

multiple key managers over a secure and mutually

authenticated TLS connection for hot backup and

disaster recovery support. Organizations can choose

to mirror key managers on-premises, in the cloud,

or a hybrid of the two. If you have a failed server, a

hardware problem, or network outage, you should be

able to define fail-over servers and that will take place

in real time.

Alliance Key Manager fully supports resilience through

real-time mirroring. It is not an operating OS feature.

The key server itself has implemented this mirroring

capability. It is itself self-healing. So if two key servers

are mirroring to each other and the network goes

down, they will queue up those mirroring transactions,

and when the network comes back, it will re-commit

those changes. Alliance Key Manager is a robust

facility for making sure you have good backups of

your encryption keys.

ACTIVE MONITORINGActive monitoring is one of the core security

recommendations to help prevent unauthorized

access to sensitive systems and information. It

is a requirement of a wide variety of compliance

regulations such as PCI-DSS, HIPAA/HITECH Act,

and many others. From a security perspective, active

monitoring makes it into the SANS Top 20 list of things

you should do, and is a key recommendation from the

US Cyber Security teams.





VENDOR CONSIDERATIONS

GENERALLY, THE CONSIDERATIONS FOR

sourcing encryption key management solutions for

VMware will be similar to any relationship you develop

with a vendor. The limited number of vendors in this

space can limit the choices you have, but there are

good solutions to choose from.

LICENSINGVendors take a variety of approaches to licensing

their key management solution. The main difference

is in licensing constraints on the VMware side. You

may start your first VMware encryption project with a

rather limited scope. But as you continue to encrypt

more sensitive data you may need to scale. Some

encryption key management vendors license software

based on the number of VMware instances that you

place under protection. Others provide unlimited

numbers of client-side licenses after you acquire the

key manager. Be sure you understand the licensing

terms of each solution you evaluate, and be sure to

understand your long-term needs.

You should not need to license every end point that

connects to the key server. The cost and complexity

of licensing all endpoints is unnecessary and can be a

huge barrier to getting data protection up and running

quickly across the organization. Some vendors

charge as much as $15,000 or more per connection.

These hidden costs quickly add up and make a

once-thought-of cost-effective solution an exorbitant

expenditure within their environment. You should look

for a key management solution that never:

• Charges you fees for connecting a new end-point

• Limits the number of end-points based on the

model of the key manager

• Limits the number of encryption keys generated or

stored

• Forces you to pay extra fees for software patches

• Forces you to pay extra fees for routine software

upgrades

DOCUMENTATIONDocumentation on your VMware implementation

will be crucial for long-term success. In addition to

documentation on the installation and configuration,

be sure your vendor provides documentation on

key rotation, applying patches to the key manager,

upgrading the key manager to new versions, and

problem determination. All of these aspects should be

covered in vendor documentation.

TRAININGWhile key management solutions have become much

simpler over time, you should still expect to receive

some operational and technical training from your

encryption and key management vendor. Gone are

the days when this meant a lot of on-site educational

expense. Modern encryption and key management

solutions may require only a short period of coaching

and training to deploy and maintain. Be sure your

encryption and key management vendor has a

program to deliver training in a timely fashion.





VENDOR CONSIDERATIONS (CONT)

CUSTOMER SUPPORTMany businesses have devalued their customer

support experience, which can be a problem for all

key manager users. When you have a problem with

encryption or key management, it’s likely to affect your

application service levels. Before acquiring your key

management solution be sure to schedule time with

the customer support group. Do they have a formal

problem tracking system? Do you have access to all

problem tickets you raise? Does the customer support

group respond in a timely fashion? Is there a 24/7

response number? All of the normal customer support

questions you might ask are relevant to a VMware

key management solution. We all know what really

bad customer support looks like, so be sure there is a

good team standing behind the solution you deploy.

SERVICESThe modern enterprise is often geographically

distributed, which can make deployment and training

difficult. While VMware encryption key management

solutions can be simple to deploy and configure, you

may want to be sure your vendor can send staff on-

site for support.

“With VMware, businesses that want to

protect sensitive data can use encryption and key management to secure

data, comply with industry security standards, protect against data loss, and help prevent data breaches.”





SUMMARY

VMWARE VIRTUALIZATION HAS BEEN A GAME-

changing technology for IT, providing efficiencies and

capabilities that have previously been impossible for

organizations constrained within traditional IT data

center worlds. With VMware, organizations are able

to reduce hardware costs, lower operational cost,

and gain a clear path to move to the cloud. With

the addition of encryption, you can deploy secure

environments where there is less risk of data loss in

the event of a breach.

The Alliance Key Manager client-side applications,

software libraries, and SDKs fully integrate with

Alliance Key Manager for key protection, and

work naturally with your SQL Server, MongoDB,

Windows, and Linux VMware VMs. The solution offers

unparalleled security, flexibility, and affordability for all

users of VMware Enterprise database. With no client-

side software to install, customers can deploy Alliance

Key Manager and install the PKI certificates on the

database server to easily begin retrieving encryption

keys.

By deploying as a virtualized encryption key manager,

enterprises are able to reduce hardware costs, lower

operational costs, minimize the IT footprint, and have

a clear path for a future move to the cloud. Using the

same FIPS 140-2 compliant technology that is in our

HSM and in use by over 3,000 customers, Townsend

Security’s Alliance Key Manager for VMware brings

a proven and mature encryption key management

solution to VMware environments with a lower total

cost of ownership.

The solution is available as a HSM, VMware

instance, and in the cloud (Amazon Web Services,

Microsoft Azure, IBM Cloud for VMware, and VMware

vCloud), allowing organizations to meet compliance

requirements (CCPA, PCI DSS, HIPAA, GDPR, etc.)

and security best practices. Townsend Security offers

a 30-day, fully-functional evaluation of Alliance Key

Manager.

SUPPORTED VERSIONS OF VMWAREAlliance Key Manager for VMware supports VMware

ESX, VMware vSphere, vSAN, and vCloud.

VMWARE TECHNOLOGY ALLIANCE PARTNERTownsend Security is an Advanced tier VMware

Technology Alliance Partner (TAP) and Alliance Key

Manager for VMware has achieved

VMware Ready status, and vSphere

and vSAN certification. This

designation indicates that after a

detailed validation process Alliance

Key Manager for VMware has

achieved VMware’s highest level of endorsement.

DATA CENTER





“A very cost effective solution in terms of performance,

manageability, security, and availability. As a result, my company

was quickly able to implement full database encryption leveraging

the AKM as our key management solution in weeks. Comparable

solutions could have taken months.”- CERTAIN

ALLIANCE KEY MANAGER OFFERS

unparalleled security, flexibility and affordability for all

users of VMware. With no client-side software to in-

stall, customers can deploy the solution and install the

PKI certificates on the database server to easily begin

retrieving encryption keys.

Alliance Key Manager is FIPS 140-2 compliant and

in use by over 3,000 organizations worldwide. The

solution is available in VMware, as a hardware se-

curity module (HSM), and in the cloud (Amazon Web

Services, Microsoft Azure, and VMware vCloud).

Townsend Security offers a 30-day, fully-functional

evaluation of Alliance Key Manager.

30-DAY EVALUATION

ALLIANCEKEY MANAGER

REQUEST EVALUATION

• FIPS 140-2 and KMIP compliant enterprise key manager

• Available as an HSM, VMware, or in the cloud (AWS, Microsoft Azure)

• Affordably priced, with no restrictions on server connections or client side applications

• Meet compliance regulations like PCI DSS, HIPAA, GDPR, and more

ALLIANCE KEY MANAGER

https://www.townsendsecurity.com/products/centralized-encryption-key-management







TOWNSEND SECURITY CREATES DATA PRIVACY

solutions that help organizations meet evolving

compliance requirements and mitigate the risk of data

breaches and cyber-attacks. Over 3,000 organizations

worldwide trust Townsend Security’s NIST and FIPS

140-2 compliant solutions to meet the encryption and

key management requirements in PCI DSS, HIPAA/

HITECH, FISMA, GLBA/FFIEC, SOX, GDPR and other

regulatory compliance requirements.

CONTACT TOWNSEND SECURITY

www.townsendsecurity.com

@townsendsecure

105 8th Ave SE, Suite 301

Olympia, WA 98501

360.359.4400

“Townsend is a full service security provider that remains on the cutting

edge and has demonstrated exceptional customer service.”

- CSU FRESNO

ABOUT TOWNSEND SECURITY

http://bit.ly/24VG2rN

http://bit.ly/1U7ngcV

http://bit.ly/24VG2rN



