Documente Academic
Documente Profesional
Documente Cultură
Page 2
CONTENTS
Introduction 4
Critical Infrastructure 18
Hybrid Deployments 24
Business Benefits 25
Challenges in VMware 26
Vendor Considerations 27
Page 3
INTRODUCTION
THE VMWARE STORY BEGAN IN 1998 WHEN FIVE for many customers. VMware customers need strong
forward-thinking technologists launched an encryption and key management solutions that run
innovative virtualized computing solution. natively in their virtual environments and provably
Shortly there after, it was the first commercially meet compliance regulations. To provide insight on
successful company to virtualize x86 architecture. how to best deploy encryption and encryption key
Today VMware is a top-tier cloud computing and management in VMware, this comprehensive guide
virtualization provider, and a popular solution for overviews the landscape for securing data in a virtual
organizations moving to the cloud. VMware’s desktop world. If you’d like to first learn the fundamentals
software runs on Microsoft Windows, Linux, and of encryption and key management before diving
MacOS, while its enterprise software hypervisor for in, view The Definitive Guide to Encryption Key
servers, VMware ESXi, is a bare-metal hypervisor that Management Fundamentals.
runs directly on server hardware without needing an
additional underlying OS.
eBook:
In our increasingly insecure cyber world, VMware The Definitive Guide to
understands the critical nature of robust security
Encryption Key Management
solutions, including encryption capabilities. However,
applying security in a VMware environment Fundamentals
introduces unique challenges. Principally, in these
environments, systems are no longer dedicated
or share a common physical architecture. They
also face unique security challenges related to
running data processing and storage in the cloud.
Questions around deployment and how to get the
most out of native encryption tools are often barriers
to implementation. These issues not only present
new risks for data breaches, but also open up
organizations a higher risk of non-compliance with an
expanding body of regulatory directives.
Page 4
WHY ENCRYPT IN VMWARE
ENCRYPTING VIRTUAL MACHINGES (VMS) IS AN SharePoint encryption, and other applications. We also
important step organizations take to protect their provide client side applications, SDKs, and sample
confidential applications and data. Encryption is a code free of charge. The solution can be deployed in
mechanism used to protect data by transforming it VMware, the cloud (AWS or Microsoft Azure), or as a
into an unreadable format, so that it is completely hardware security module (HSM).
private from anyone not explicitly
approved to read it through PROTECTING VMS AT REST AND
Encryption & T
decryption. Gaining access to IN TRANSIT
encrypted information requires a One of the advantages of VMs is that they are
person or application to possess portable. Pick up a VM image and you can run it on
the “key” to open the encryption any physical server. However, this also means anyone
formula and convert the data back who has access to the image also has access to its
to its original readable format. In files and data. VMs are also vulnerable when a running
this way, encryption provides a fail-safe mechanism, machine is transferred to another server. Anyone who
whereby, if all other cybersecurity measures fail has access to the network will also have access to
and data is stolen, the information is still protected the VM and its data. When using VMware, you can
because it is unreadable and, therefore, useless to use encryption to protect your VMs both at rest and in
Key Managem
the person or machine trying to access it. The data transit, just like any other data you store and transmit.
remains secure and compliant. VMware provides
several options for deploying encryption functionality. ENCRYPTION IN VMWARE
VMware includes encryption in vSphere 6.5, making it
Townsend Security’s Alliance Key Manager is a FIPS easy to encrypt without using third-party hardware or
140-2 compliant enterprise key manager that helps software. The encryption features protect both VMDK
organizations meet compliance requirements and images and vMotion transfers of VMs. Encryption
protect private information. The symmetric encryption is fully managed by the hypervisor, so keys are not
key management solution creates, manages, and known to the VM and there’s no potential exploit in
distributes 128-bit, 192-bit, and 256-bit AES keys for the guest OS. With Alliance Key Manager, you can
any application or database running on any enterprise
operating system. Townsend Security deploys ready-
to-use security applications for vSphere, MongoDB,
Secure Comm
implement vSphere encryption to protect the VMs
at rest, and also implement database encryption
to protect the database. In some cases, this will
Microsoft SQL Server Transparent Data Encryption mean multiple layers of encryption, but this provides
(TDE) and Cell Level Encryption (CLE), Microsoft additional layers of security.
Page 5
WHY ENCRYPT IN VMWARE (CONT)
ENCRYPTION KEYS
Encryption & Toke
vSphere allows users to control whether encryption
Encrypting VMs relies on keys, so you need to have is applied to a VM’s virtual disks or configuration files
and encryption key manager (software or hardware) through storage policies. You also have control over
when using VM encryption. Without keys, encrypted who can manage the encryption in VMware. It isn’t
VM files cannot be read or necessary, or even advisable, to grant encryption
executed. When encrypting a VM, privileges to every VM administrator. Restricting this
Key Management:
the disk files, snapshots, swap critical function enhances your security posture.
files, and dumps are all protected.
A few remaining configuration
and log files are not encrypted,
because they aren’t sensitive or
don’t support operations that have to execute the
“Encrypting VMs relies
encryption status of the disks. VMware does report on keys, so you need to
some minimal overhead from deploying decryption
operations. However, if performance remains a
concern, running it on servers that support AES-NI Secure Communic
have and encryption key
manager (software or
instructions speeds up the encryption process.
hardware) when using VM
When encrypting VMs on vMotion, a random one-
time key is generated and sent to the hosts involved encryption. Without keys,
in the vMotion process. In this case, it’s not the
network that’s protected, but the VM itself. As a result,
encrypted VM files cannot
snooping is not possible. Further, certificates are be read or executed.”
Logging:
not required, and users don’t need to worry about
network settings. Encrypted VMs require encrypted
vMotion, but you can use encrypted vMotion, even on
unencrypted VMs. To ensure high availability, VMware
uses automatic failover for key management through
the definition of vSphere KMS Clusters.
Authentication
Page 6
COMPLIANCE & VMWARE
FOR MANY BUSINESSES, MOVING TO THE CLOUD (PCI DSS) requires that credit card numbers be
means storing or processing credit card numbers, encrypted in storage. The Health Insurance Portability
financial information, healthcare data, and other and Accountability Act and Health Information
personally identifiable information (PII) in a virtual, Technology for Economic and Clinical Health Acts
shared environment. The challenge is meeting data (HIPAA/HITECH) require protection of Electronic
security requirements and preventing unwanted Protected Health Information (ePHI).
access to sensitive data in an environment that is
inherently less secure. The lack of compliance and These are just three of the many compliance
failure to implement and execute a well-planned regulations that today’s organizations must consider
security strategy may lead to a breach in security in their cybersecurity programs to ensure that they
resulting in data spillage, data compromise, loss of are in continual compliance with all of the relevant
data integrity, loss of customer trust, legal actions, regulations as they change and expand.
revenue loss, and even loss of business. Industry
and regulatory compliance standards help protect VMWARE AND GDPR
computing assets from multiple security vulnerabilities In response to escalating external and internal threats
and misconfigurations, and minimize the risk in and uncertainty, lawmakers and regulators around
execution environments, such as development, test, the world have been strengthening their data security
and production. compliance requirements, implementing new legal
frameworks and levying higher noncompliance
With VMware, businesses that want to protect penalties. This places organizations at tremendous
sensitive data can use encryption and key risk for compliance violations, along with the resulting
management to secure data, comply with industry fines and remediation costs. On May 25th, 2018, the
security standards, protect against data loss, and European Union made securing citizens’ data an
help prevent data breaches. When considering even bigger challenge for companies doing business
encryption options, organizations must consider both that involves handling their citizens’ data. That was
governmental and private compliance regulations launch day for the new European Union General Data
that require them to protect sensitive information. Protection Regulation (GDPR),
Most regulations require proper protection of PII.
For example, the new European Union General GDPR has sharper teeth than any other compliance
Data Protection Regulation (GDPR) imposes multiple regulation to date. With tighter controls and higher
demands upon global companies to protect the penalties, the new law is poised to enforce data
personal data of all European Union (EU) residents. protection beyond the limits of any other compliance
The Payment Card Industry Data Security Standards
Page 7
COMPLIANCE & VMWARE (CONT)
regulation. This will permanently impact the way VMware Cloud on AWS has been independently
organizations handle consumer data. While other verified by Schellman & Company, LLC, to comply
regulations, like PCI DSS and HIPAA, have expanded with the GDPR. In the language of the GDPR, when
their rules and enforcement in recent years, it’s likely providing services to its customers via the VMware
that GDPR will set a new standard — one that other Cloud on AWS service offering, VMware is acting as
regulatory bodies will be inspired or compelled to a “data processor.” VMware’s customers may perform
follow. As such, meeting privacy and data residency customer-defined data processing activities in relation
requirement can become an enormous burden for to their own data within the services and, in doing so,
global enterprises working in EU countries. act as “data controllers.” Data controllers may only
appoint data processors
The GDPR attempts to unify who provide sufficient
data protection laws in Europe guarantees to implement
and ensure that citizens’ appropriate technical and
rights and protections have organizational measures to
a global impact. One area ensure processing meets
of concern for EU countries, among many, is the fact GDPR’s requirements. GDPR also requires resilient
that U.S.-based cloud vendors can be subpoenaed and recoverable architectures to prevent unavailability
by U.S. governments to provide access to specific of data. To support this directive, key managers should
information, even if it resides outside of the U.S. With implement HA services to ensure high availability.
this regulation, every organization will be forced to
comply or face penalties, including damaging fines Encryption and key management can help meet
and even losing the opportunity to work within the GDPR’s privacy requirements, as well as citizens’
EU. Specifically, the GDPR’s “right to be forgotten” right of erasure (right to be forgotten). While the EU
rule provides individuals with specific rights to control does not mandate that all organizations encrypt
the processing of their personal data and sets a new sensitive data, there is an exclusion for subject data
standard for protection of an individual’s personal breach notification and financial penalties for those
data. Among the EU regulations is the rule that all organizations that use encryption and other security
customer and employee data must not be accessible methods to protect the data. Thanks to VMware’s
to anyone outside of their home legal jurisdiction, wide-ranging focus on security, implementing
except when given explicit consent on a per usage encryption and key management tools will help users
basis. meet requirements for GDPR.
Page 8
COMPLIANCE & VMWARE (CONT)
VMWARE AND PCI DSS Even with this mandatory requirement, a vast
With all of the security breaches in the news and majority of organizations still struggle to maintain PCI
the occurrence of these incidents becoming more compliance, and the process is costing companies a
widespread, how can you ensure that your customers’ great deal both to address the root cause of PCI audit
credit card information remains secure? This is the failures and in, often severe, non-compliance fees.
purpose of Payment Card Industry Data Security By proactively assessing their weakness around PCI
Standard (PCI DSS), which impacts all merchants who compliance, and installing the cybersecurity solutions
accept credit cards. PCI DSS requires merchants to that can mitigate data breaches, companies will
protect sensitive cardholder ensure their own data security
information from loss, and and, therefore, compliance.
use good security practices For these reasons, VMware
to detect and protect against offers a wide range of
security breaches. The PCI cybersecurity services and
DSS is applicable to all types documentation to support and
Milestones
Product Applicability Guide
DOWNLOAD
The Prioritized
PCI SSC FOUNDERS high-level goa
milestones
Page 9 to
COMPLIANCE & VMWARE (CONT)
VMware also provides customers with access to HITECH does not specifically require encryption of
vRealize Air Compliance, which assesses VMware sensitive data, a backdoor “safe harbor” mandate
vSphere-based virtualized environments according states that if a healthcare organization or one of its
to specific compliance standards and risk profiles. Business Associates (BA) does experience a data
Some of the available standards and profiles include breach, and Protected Health Information (PHI) is not
multiple versions of the VMware vSphere Hardening obscured using encryption or some other method,
Guide, PCI DSS 3.2, and HIPAA technical safeguards. then that organization will be heavily penalized.
Users can continuously assess their vCenter Server
instances, ESXi hosts, VMs, and distributed port This is especially important when the outcomes for
groups to ensure that they comply with the technical noncompliance are extremely critical due to civil
controls defined in the industry standards. and criminal penalties imposed by the Office for
Civil Rights (OCR) Department of Health and Human
From a high level, the VMware software-defined Services (HHS), and the U.S. Department of Justice
data center (SDDC) provides software-defined (DOJ). What’s more, there is a high probability for
infrastructures, software-defined networking, and collateral impact due to failure to protect patient
management and security technologies capable of privacy, institutional trust, and economics. In extreme
supporting, adhering to, and/or addressing control cases of breach or data loss, the fines and penalties
objectives relevant to PCI DSS to enable platform are minor compared to the potential for litigation,
support of cardholder data environments (CDE). recompense, and public relations improvements.
VMware EUC provides secure delivery mechanisms Compliance with the HIPAA Security Rules and
for any application, to any device, anywhere. Further, HIPAA Privacy Rules for Electronic Protected Health
VMware’s vast network of partners provides added Information (ePHI) requires the use of many security
value with technologies capable of being inserted technologies and best practices to demonstrate
seamlessly and holistically to address additional strong efforts towards complying with this federal
requirements and enhance security. regulation. The ability to effectively secure ePHI and
audit IT and security operations may involve both
VMWARE AND HIPAA strong encryption and real-time and historical activity
The Health Insurance Portability and Accountability logs that relate to many systems.
Act and Health Information Technology for Economic
and Clinical Health Act (HIPAA/ VMware recognizes the following as critical areas
HITECH) outlines data security that must be addressed by each covered entity
regulations for the healthcare and BA in the operation of healthcare information
industry. While the HIPAA/ systems: security and compliance, the criticality
Page 10
COMPLIANCE & VMWARE (CONT)
Page 11
SECURITY BEYOND COMPLIANCE
ALONG WITH REGULATORY COMPLIANCE, THERE all aspects of the enterprise, including growth and
are many other reasons to optimize data security revenue. Further, the negative perception extends to
in VMware — including intellectual property and a company’s products and services. Cyber attacks are
reputation protection. also damaging to a company’s reputation, because
it is not contained to the company itself — attacks
INTELLECTUAL PROPERTY also expose customers to the risk of identity theft or
financial losses. Brand reputation is a fragile asset
PROTECTION (IP)
that, when compromised, is not easy to fix. It can take
Knowledge assets are defined as confidential
decades to build your reputation and consumer trust.
information critical to the development, performance,
and marketing of a company’s core business. IP
protection covers a wide variety of corporate capital, COMPONENTS OF A VMWARE
including business plans, trade secrets, creative ENCRYPTION STRATEGY
work products (design, development, and pricing), The most effective way to secure data and ensure
proprietary software or hardware, and competitively a company’s integrity is to deploy encryption. For
valuable or other important information of or about any encryption deployment, there are two major
customers, including customer profiles and databases. components:
Hackers, competitors, and nation states are all 1. Encryption of the sensitive data, usually in a
potential IP thieves. A study on cybersecurity risks to Windows or Linux VM
knowledge assets found that 82 percent of companies 2. Protection of the encryption keys through
have failed to detect a breach involving their IP. The robust key management solutions
study also found dramatic increases in both threats
and awareness of threats to these “crown jewels,” An effective strategy in the VMware environment has
as well as dramatic improvements in addressing the to address both of these components. The following
threats by the highest-performing organizations. section overviews the components so a VMware
encryption strategy.
REPUTATION PROTECTION
A study sponsored by VMware and conducted by vSphere VM encryption enables creation of encrypted
The Economist Intelligence Unit (EIU) found that VMs and encrypts existing VMs, along with virtual
reputational risk was C-suite executives’ greatest disks, and host core dump files. Because all VM files
cybersecurity concern. A company or organization’s that contain sensitive information are encrypted,
brand is the most valuable asset, because it touches the entire VM is protected. Only administrators with
Page 12
SECURITY BEYOND COMPLIANCE
encryption privileges can perform encryption and adds cryptography events to the list of events that can
decryption tasks. Some files associated with a VM are be viewed and exported from the vSphere Web Client
not encrypted or are partially encrypted, because they event console. Each event includes the user, time, key
don’t contain sensitive information, including log, VM ID, and cryptographic operation.
configuration, and virtual disk descriptor files.
ESXI HOSTS
Three major components are used for encryption in a The ESXi host is responsible for several aspects of the
VMware Key Management Server, a VMware vCenter encryption workflow:
Server®, and ESXi Hosts. • Performs the encryption of VM disks
• Ensures that guest data for encrypted VMs is
KEY MANAGEMENT SERVER not sent over the network without encryption
(KMS)
Encryption key management is the method used Encryption is performed by the industry-standard
to protect and manage your encryption keys. The OpenSSL libraries and algorithms. VM encryption does
vCenter Server instance requests keys from an not impose any new hardware requirements, but uses
external KMS. The KMS generates and stores key a processor that supports the AES-NI instruction set to
encryption keys KEKs and passes them to the vCenter accelerate encryption and decryption operations if the
Server instance for distribution. As a Key Management Intel AES-NI hardware facility is not present, thereby,
Interoperability Protocol (KMIP) client, the vCenter providing better performance.
Server system uses that protocol to facilitate use of
the chosen KMS.
Page 13
NIST STANDARD AES ENCRYPTION
WHEN EVALUATING YOUR VM SOLUTION Government requirements for cryptographic modules.
alongside your encryption key management solution, For VMware customers, FIPS 140-2 compliant
it’s important to look for certain certifications and encryption and key management are a key defense
validations. One of these is from National Institute for data security.
of Standards and Technology (NIST): NIST FIPS-197
validates AES encryption. VMware encrypts and CONTINUOUS MONITORING
decrypts according to NIST-validation. It also manages Recognizing that each organization must take
encryption keys according to NIST guidelines. responsibility for its data no matter where it resides,
the NIST standard calls for continuous monitoring
ENCRYPTION KEY MANAGEMENT of key management. This requires organizations to
As defined by NIST, key management is the method continuously monitor their environments to ensure
in which a user protects encryption keys, manages their infrastructure, applications, and data remain in a
the entire key lifecycle, distributes encryption keys, secure state. VMware’s security functionality supports
and implements additional layers of security to protect continuous monitoring.
keys and limit user access. In the NIST guidelines,
enterprise encryption key management includes both AUDITING
technological and policy-based controls, integrated The NIST standard calls for auditing to bring
to provide the highest level of security around an transparency to security operations. Your key
organization’s encryption keys. Certifications and management solution needs to support active
validations from NIST include SP-800-57, SP-800- collection and monitoring of audit and OS logs. The
130, and FIPS 140-2. NIST SP-800-57 provides logs should integrate with your log collection and
recommendations for key management. SP-800-130 SIEM active monitoring systems. Built-in logging
provides a framework for designing cryptographic key allows administrators to track all key retrieval, key
management systems. management, and systems activity. In VMware,
reports can be sent automatically to a central log
FIPS 140-2 certification ensures that the key management database or SIEM products for a timely
management software has been tested by third and permanent record of activity. A KMS should audit
parties to meet the highest standards in key all administrative and user functions, including both
management technology, so you can establish successful and failed operations, for security-relevant
strong key management. VMware OpenSSL FIPS events. This includes detecting and recording the
Object Module meets the security requirements of events, date and time of the events, and the identity or
Federal Information Processing Standards (FIPS) role of the entity initiating the events.
Publication 140-2, which details the U.S. and Canadian
Page 14
ENCRYPTION KEY MANAGEMENT
ONCE DATA IS ENCRYPTED, YOUR PRIVATE keys by designating key users or user groups. They
information depends on enterprise-level key should also be able to set automatic key rotation
management to keep that data safe. Without key policies, so that keys are retired and rolled over after
management, encryption stands alone as only half of any period of time. These controls help organizations
a solution. When you leave the keys to unlock your meet data security requirements for some regulated
sensitive business and customer data exposed, then industries. For example, the PCI DSS outlines key
you expose your entire organization to the risk of data management requirements for cardholders or
loss or theft. Encryption key management involves processors that can typically only be met using an
administering the full lifecycle of cryptographic keys enterprise-level encryption key management solution.
and protecting them from loss or misuse. Protection
of the encryption keys includes limiting access to POLICY-BASED CONTROLS
the keys physically, logically, and through user/role Beyond managing the key lifecycle, a key manager
access. should actively audit and log all activity and functions
performed on the server, and record these logs to
ENCRYPTION KEY LIFECYCLE an external event monitoring or logging server so
A critical administrative component to encryption key that malicious activity can be detected in real time.
management is the ability to manage the complete Your key management solution should be compatible
encryption key lifecycle. NIST defines all stages with common event-monitoring solutions and export
of a key’s lifecyle, including key generation, pre- logs in standardized formats in real time. Also, your
activation, activation, distribution, revocation, post- key management solution should inherently enforce
policy-based security functions that meet key
management best practices such as separation of
Expiration
duties and dual control.
Activation Post-Activation
Page 15
ENCRYPTION KEY MANAGEMENT (CONT)
Page 16
ADDITIONAL KEY MANAGEMENT
STANDARDS AND VALIDATIONS
KEY MANAGEMENT key manager or through the use of an external KMIP-
compliant key manager.
INTEROPERABILITY PROTOCOL
(KMIP)
VMware allows users to manage encryption keys
using a third-party key management vendor through
PCI DATA SECURITY STANDARD
a standard key management protocol called the KMIP. (PCI DSS)
All of VMware’s KMS As mentioned earlier, VMware meets the standards
Certification tests of the PCI DSS, which was developed to encourage
contained in KMS and enhance cardholder data security and facilitate
plug-ins verify that the the broad adoption of consistent data security
vendor’s KMIP KMS measures globally. For VMware users who need to
works with vSphere storage encryption feature and meet compliance, Alliance Key Manager has been
vSAN virtual disk. Testing consists of verifying correct validated for PCI DSS in VMware by Coalfire, a PCI-
behavior of a KMS, ensuring that it does not introduce qualified QSA assessor and independent IT and audit
undesirable impacts on the operation of the system. firm. Additionally, Alliance Key Manager for VMware
VMware supports two types of KMIP: can also help businesses meet other compliance
• Switch-Based Encryption — With this regulations such as HIPAA, GLBA/FFIEC, FISMA, etc.
method, the data leaves the host and travels in the
clear until it reaches a switch, which then performs
the encryption before sending the data on to the
storage array. The switch might be a Fibre Channel
switch or, in the case of NFS, a network switch. The
switch typically also integrates with an external, KMIP-
compliant key manager.
• Array-Based Encryption — With array-based
encryption, the controller in a storage array encrypts
the data as it is written to the disks. Encryption can be
performed via custom application-specific integrated
circuits (ASICs) in hardware or software. In both cases,
key management can be achieved via an onboard
Page 17
CRITICAL INFRASTRUCTURE
WITH ALLIANCE KEY MANAGER, WE HAVE DONE or a hybrid of the two. If you have a failed server, a
a lot to help companies deal with the concern about hardware problem, or network outage, you should be
resilience of a key manager, because it is critical able to define fail-over servers and that will take place
infrastructure including the following: in real time.
HARDWARE AND SOFTWARE Alliance Key Manager fully supports resilience through
real-time mirroring. It is not an operating OS feature.
RESILIENCE
The key server itself has implemented this mirroring
If you are properly protecting keys, an encryption
capability. It is itself self-healing. So if two key servers
key management solution becomes a part of your
are mirroring to each other and the network goes
critical infrastructure. But if your key manager goes
down, they will queue up those mirroring transactions,
down, your applications stop functioning until you
and when the network comes back, it will re-commit
have key management back up. Alliance Key Manager
those changes. Alliance Key Manager is a robust
addresses those concerns in a number of ways. One
facility for making sure you have good backups of
way is that the key manager is built for redundancy.
your encryption keys.
We know that hardware it can fail, so we implement
a hardware platform that is resilient and has a lot
of redundancy built in. As such, the first layer of ACTIVE MONITORING
keeping an encryption key manager up and running Active monitoring is one of the core security
consistently is to have a good hardware platform or recommendations to help prevent unauthorized
run in the cloud. access to sensitive systems and information. It
is a requirement of a wide variety of compliance
regulations such as PCI-DSS, HIPAA/HITECH Act,
BACKUP/RECOVERY, HIGH
and many others. From a security perspective, active
AVAILABILITY, AND MIRRORING monitoring makes it into the SANS Top 20 list of things
Real-time mirroring of keys and policy around keys is
you should do, and is a key recommendation from the
critical for high availability and recovery. It is important
US Cyber Security teams.
for key management servers to mirror keys between
multiple key managers over a secure and mutually
authenticated TLS connection for hot backup and
disaster recovery support. Organizations can choose
to mirror key managers on-premises, in the cloud,
Page 18
KEY MANAGER PLATFORMS
(HSMS)
Since VMware vSphere encryption is Key
Management Interoperability Protocol (KMIP) WHITE PAPER:
compliant, any HSM that conforms to KMIP should be Securing Data in VMware with
able to effectively manage the keys. Any HSM that you Encryption & Key Management
consider should be FIPS 140-2 compliant. Additionally,
you should understand your current level of risk White Paper
doors 724 Columbia Street NW, Suite 400 • Olympia, WA 98501 • 360.359.4400 • 800.357.1019 • fax 360.357.9047 • www.townsendsecurity.com
Page 19
DEPLOYING KEY MANAGEMENT
1. IDENTIFY AND DOCUMENT TRUSTED AND UN-TRUSTED APPLICATIONS
Properly identifying application groups based on the level of trust is critical for a secure implementation of
virtualized applications and encryption key management services.
Page 20
SECURING A KEY MANAGEMENT VM
Page 21
ENCRYPTION KEYS FOR APPLICATIONS
THE IDEAL KEY MANAGEMENT SOLUTION MONGODB
provides high availability, standards-based enterprise MongoDB offers AES encryption as part of the
encryption key management to a wide range of WiredTiger Storage Engine in the Enterprise edition
applications and databases. of their offering. There are two options for storing
encryption keys: In the database, in the clear; Or by
MICROSOFT SQL SERVER using KMIP and a key manager. Alliance Key Manager
Data can by encrypted in a SQL Server database. is certified by MongoDB for use with the MongoDB
In standard edition, you’ll need to encrypt at the Enterprise database.
application level. In enterprise edition, SQL Server
has Transparent Data Encryption (TDE), Extensible DRUPAL
Key Manager (EKM), and Cell Level Encryption (CLE). There is no native encryption in Drupal. Users need to
Townsend Security has an EKM provider. You need install modules, such as Key, Encrypt, and Townsend
two things: A key management solution to protect the Security’s Key Connection For Drupal to encrypt
critical encryption keys, and an encryption solution private data in Drupal.
for the SQL Server database. And they have to talk to
each other. For the first part, the Alliance Key Manager WINDOWS IIS
for VMware solution provides a fully functional, Encryption needs to be done at the application level.
enterprise key management solution that protects This can be facilitated through the use of the Alliance
SQL Server databases as well as other databases and Key Management Windows .NET SDK.
other OSs. For encrypting SQL Server, the Alliance
Key Manager solution comes with a full Microsoft SQL SOFTWARE DEVELOPER KITS
Server Extensible Key Management Provider, called
the Key Connection for SQL Server. It’s a module
(SDKS)
Encryption needs to be done at the application level.
that our key management customers receive without
This can be facilitated through the use of the Alliance
paying additional license fees. Key Connection for
Key Management Windows .NET SDK.
SQL Server provides the encryption and integration
with the key server to provide a complete end-to-
JAVA, .NET, PHP, PYTHON, PERL, ETC.
end solution for encrypting data in the SQL Server
VMware offers release notes, developer guides, API
database.
references, and other documentation for current and
past versions of API and SDK sets. Businesses who
Page 22
ENCRYPTION KEYS FOR APPLICATIONS (CONT)
Page 23
HYBRID DEPLOYMENTS
GOOD KEY MANAGEMENT SOLUTIONS SHOULD private cloud workloads on which applications and
be able to mirror in hybrid environments, such as data live, thereby, shrinking the attack surface for
VMware to cloud. your digital enterprise. To address these problems,
organizations need to fundamentally transform
the way they secure the application infrastructure.
CLOUD VMware uses a complete portfolio of solutions that
As enterprises adopt Public and Private clouds, they
enable IT to deploy a virtualized platform, which
bring their sensitive data with them – customer names,
abstracts their infrastructure from the applications
email addresses, and other PII. While compliance
running on top of it — whether that infrastructure is on-
regulations require protecting this information,
premises or in the public cloud. With VMware vSphere
encrypting this data has been a challenge for
and VMware NSX, organizations can take advantage
organizations that want the flexibility and security
of flexible, robust virtualization platforms to support
of a native VMware solution. By deploying Alliance
their new and existing apps — without compromising
Key Manager for VMware as a vCloud instance,
security and compliance. VMware vRealize Network
customers can achieve their security and efficiency
Insight enhances their capabilities through enterprise-
goals in a cloud environment. Alliance Key Manager
ready cloud management for additional visibility and
for VMware will make the migration easy. Alliance
protection.
Key Manager for AWS secures private information in
databases and applications, including MS SQL Server,
Oracle databases, and Drupal. It protects data in
Amazon RDS, Amazon S3, Amazon EBS, and Amazon
DynamoDB. VMware has established partnerships with
AWS and vCloud. Further, Alliance Key Manager for
VMware can provide key management for applications
and also for vSphere and vSAN in the AWS platform.
WEB APPLICATIONS
VMware delivers intrinsic security by architecting
security directly into the networks and public and
Page 24
BUSINESS BENEFITS
ORGANIZATIONS GAIN SIGNIFICANT BENEFITS mode of operation, and more. This helps meet
from keeping their encryption keys protected regulations and industry guidelines, measures, and
including, but not limited to, the following: controls.
REDUCED ADMINISTRATION OF
CRITICAL SECRETS MORE INFORMATION
Controlling everything from one place is the most
simple and efficient way to manage encryption. A
centralized and granular key management policy WEBINAR:
can enable seamless updates for all necessary
cryptographic functions without any changes in
SECURING DATA
the application code. Implementing centralized IN VMWARE WITH
policy enforcement where the system collects all ENCRYPTION & KEY
relevant information in a single place for easy audit
and in human-readable form makes demonstration
MANAGEMENT
of compliance with internal and external policies a
straightforward task. Among other benefits, is reduced
administration of enterprise IP.
IMPROVED SECURITY
Robust key management with centralized controls
lower an organization’s overall security risks by, for
example, reducing the risk of human errors and better
controls administrators’ access permissions.
Page 25
CHALLENGES IN VMWARE
VM ENCRYPTION OFFERS SEVERAL ADVANTAGES
compared to other encryption methods, but it might
not be a great fit for every workload. When weighing
whether to encrypt or not, you’ll want to consider a
few limitations, caveats, and performance issues first.
CROSS-PLATFORM
COMPATIBILITY
vSphere Virtual Machine Encryption has some
“When weighing whether
limitations regarding devices and features that to encrypt or not, you’ll
it can interoperate with in vSphere 6.5 and later
releases. Also, you cannot perform certain tasks on
want to consider a few
an encrypted VM. Further, VMware tools address only limitations, caveats, and
performance issues first.”
VMware issues.
COMPLEXITY
VMware is complex and requires either experienced
internal employees or potentially expensive
outsourced services to manage and operate.
APPLICATIONS
There is some application incompatibility that needs to
be acknowledged by each organization.
SDKS
VMware’s SDKs may not cover every need of every
enterprise.
Page 26
VENDOR CONSIDERATIONS
GENERALLY, THE CONSIDERATIONS FOR some operational and technical training from your
sourcing encryption key management solutions for encryption and key management vendor. Gone are
VMware will be similar to any relationship you develop the days when this meant a lot of on-site educational
with a vendor. expense. Modern encryption and key management
solutions may require only a few hours of coaching
and training to deploy and maintain. Be sure your
LICENSING encryption and key management vendor has a
Vendors take a variety of approaches to licensing
program to deliver training in a timely fashion.
their key management solution. The main difference
is in licensing constraints on the VMware side. You
may start your first VMware encryption project with a
CUSTOMER SUPPORT
Many businesses have devalued their customer
rather limited scope. But as you continue to encrypt
support experience, which can be a problem for all
more sensitive data you may need to scale. Some
key manager users. When you have a problem with
encryption key management vendors license software
encryption or key management, it’s likely to affect your
based on the number of VMware instances that you
application service levels. Before acquiring your key
place under protection. Others provide unlimited
management solution be sure to schedule time with
numbers of client-side licenses after you acquire the
the customer support group. Do they have a formal
key manager. Be sure you understand the licensing
problem tracking system? Do you have access to all
terms of each solution you evaluate, and be sure to
problem tickets you raise? Does the customer support
understand your long-term needs.
group respond in a timely fashion? Is there a 24/7
response number? All of the normal customer support
DOCUMENTATION questions you might ask are relevant to a VMware
Documentation on your VMware implementation
key management solution. We all know what really
will be crucial for long-term success. In addition to
bad customer support looks like, so be sure there is a
documentation on the installation and configuration,
good team standing behind the solution you deploy.
be sure your vendor provides documentation on
key rotation, applying patches to the key manager,
upgrading the key manager to new versions, and SERVICES
The modern enterprise is often geographically
problem determination. All of these aspects should be
distributed, which can make deployment and training
covered in vendor documentation.
difficult. While VMware encryption key management
solutions can be simple to deploy and configure, you
TRAINING may want to be sure your vendor can send staff on-
While key management solutions have become much
site for support.
simpler over time, you should still expect to receive
Page 27
SUMMARY
VMWARE VIRTUALIZATION HAS BEEN A GAME- The solution is available as a HSM, VMware instance,
changing technology for IT, providing efficiencies and and in the cloud (Amazon Web Services, Microsoft
capabilities that have previously been impossible for Azure, and VMware vCloud), allowing organizations
organizations constrained within traditional IT data to meet compliance requirements (PCI DSS, HIPAA,
center worlds. With VMware, organizations are able GDPR, etc.) and security best practices. Townsend
to reduce hardware costs, lower operational cost, Security offers a 30-day, fully-functional evaluation of
and gain a clear a path to move to the cloud. With Alliance Key Manager.
the addition of encryption, you can deploy secure
environments where there is less risk of data loss in
the event of a breach.
SUPPORTED VERSIONS OF
VMWARE
The Alliance Key Manager client-side applications, Alliance Key Manager for VMware supports VMware
software libraries, and SDKs fully integrate with ESX, VMware vSphere (ESXi), vSAN, and vCloud.
Alliance Key Manager for key protection, and
work naturally with your SQL Server, MongoDB, VMWARE TECHNOLOGY
Windows, and Linux VMware VMs. The solution offers ALLIANCE PARTNER
unparalleled security, flexibility, and affordability for all Townsend Security is an Advanced
users of VMware Enterprise database. With no client- tier VMware Technology Alliance
side software to install, customers can deploy Alliance Partner (TAP) and Alliance Key
Key Manager and install the PKI certificates on the Manager for VMware has achieved
database server to easily begin retrieving encryption VMware Ready status, and vSphere DATA CENTER
Page 28
ALLIANCE KEY MANAGER
REQUEST EVALUATION
Page 29
ABOUT TOWNSEND SECURITY
360.359.4400
Page 30