VMWARE

ENCRYPTION & KEY

MANAGEMENT
THE DEFINITIVE GUIDE
 “
VMware virtualization has been a game-changing
advancement for the IT industry. It has delivered
efficiencies and capabilities that had previously been
impossible for organizations struggling with constraints
in the traditional IT data center world. When it comes
to security, VMware is front and center in helping
organizations secure their data from threats through
encryption. One solution adds an important layer to
VMware’s data security solution by giving enterprise
organizations the ability to achieve the second critical
function — manage their encryption keys. Use this
guide to explore the key concepts of encrypting data in
VMware and protecting encryption keys using a third-
party enterprise encryption key management.

Page 2
CONTENTS
Introduction 4

Why Encrypt in VMware 5

Compliance and VMware 7

Security Beyond Compliance 12

NIST Standard AES Encryption 14

Encryption Key Management 15

Additional Key Management Standards & Validations 17

Critical Infrastructure 18

Key Manager Platforms 19

Deploying Key Management 20

Securing a Key Management VM 21

Encryption Keys for Applications 22

Hybrid Deployments 24

Business Benefits 25

Challenges in VMware 26

Vendor Considerations 27

Page 3
 INTRODUCTION
THE VMWARE STORY BEGAN IN 1998 WHEN FIVE for many customers. VMware customers need strong
forward-thinking technologists launched an encryption and key management solutions that run
innovative virtualized computing solution. natively in their virtual environments and provably
Shortly there after, it was the first commercially meet compliance regulations. To provide insight on
successful company to virtualize x86 architecture. how to best deploy encryption and encryption key
Today VMware is a top-tier cloud computing and management in VMware, this comprehensive guide
virtualization provider, and a popular solution for overviews the landscape for securing data in a virtual
organizations moving to the cloud. VMware’s desktop world. If you’d like to first learn the fundamentals
software runs on Microsoft Windows, Linux, and of encryption and key management before diving
MacOS, while its enterprise software hypervisor for in, view The Definitive Guide to Encryption Key
servers, VMware ESXi, is a bare-metal hypervisor that Management Fundamentals.
runs directly on server hardware without needing an
additional underlying OS.
eBook:
In our increasingly insecure cyber world, VMware The Definitive Guide to
understands the critical nature of robust security
Encryption Key Management
solutions, including encryption capabilities. However,
applying security in a VMware environment Fundamentals
introduces unique challenges. Principally, in these
environments, systems are no longer dedicated
or share a common physical architecture. They
also face unique security challenges related to
running data processing and storage in the cloud.
Questions around deployment and how to get the
most out of native encryption tools are often barriers
to implementation. These issues not only present
new risks for data breaches, but also open up
organizations a higher risk of non-compliance with an
expanding body of regulatory directives.

Due to these issues and others, security of sensitive

data stored and processed on VMware virtual DOWNLOAD
machines (VMs) and in the cloud is a critical concern

Page 4
 WHY ENCRYPT IN VMWARE
ENCRYPTING VIRTUAL MACHINGES (VMS) IS AN
important step organizations take to protect their
confidential applications and data. Encryption is a
mechanism used to protect data by transforming it
into an unreadable format, so that it is completely
private from anyone not explicitly
approved to read it through
decryption. Gaining access to
encrypted information requires a
person or application to possess
the “key” to open the encryption
formula and convert the data back
to its original readable format. In
this way, encryption provides a fail-safe mechanism,
whereby, if all other cybersecurity measures fail
and data is stolen, the information is still protected
because it is unreadable and, therefore, useless to
the person or machine trying to access it. The data
remains secure and compliant. VMware provides
several options for deploying encryption functionality.
Townsend Security’s Alliance Key Manager is a FIPS
140-2 compliant enterprise key manager that helps
organizations meet compliance requirements and
protect private information. The symmetric encryption
key management solution creates, manages, and
distributes 128-bit, 192-bit, and 256-bit AES keys for
any application or database running on any enterprise
operating system. Townsend Security deploys ready-
to-use security applications for vSphere, MongoDB,
Microsoft SQL Server Transparent Data Encryption
(TDE) and Cell Level Encryption (CLE), Microsoft
SharePoint encryption, and other applications. We also
provide client side applications, SDKs, and sample
code free of charge. The solution can be deployed in
VMware, the cloud (AWS or Microsoft Azure), or as a
hardware security module (HSM).
PROTECTING VMS AT REST AND
Encryption & T
IN TRANSIT
One of the advantages of VMs is that they are
portable. Pick up a VM image and you can run it on
any physical server. However, this also means anyone
who has access to the image also has access to its
files and data. VMs are also vulnerable when a running
machine is transferred to another server. Anyone who
has access to the network will also have access to
the VM and its data. When using VMware, you can
use encryption to protect your VMs both at rest and in
Key Managem
transit, just like any other data you store and transmit.
ENCRYPTION IN VMWARE
VMware includes encryption in vSphere 6.5, making it
easy to encrypt without using third-party hardware or
software. The encryption features protect both VMDK
images and vMotion transfers of VMs. Encryption
is fully managed by the hypervisor, so keys are not
known to the VM and there’s no potential exploit in
the guest OS. With Alliance Key Manager, you can
Secure Comm
implement vSphere encryption to protect the VMs
at rest, and also implement database encryption
to protect the database. In some cases, this will
mean multiple layers of encryption, but this provides
additional layers of security.
Page 5
 WHY ENCRYPT IN VMWARE (CONT)

ENCRYPTION KEYS
Encrypting VMs relies on keys, so you need to have
and encryption key manager (software or hardware)
when using VM encryption. Without keys, encrypted
VM files cannot be read or
executed. When encrypting a VM,
Encryption & Toke
vSphere allows users to control whether encryption
is applied to a VM’s virtual disks or configuration files
through storage policies. You also have control over
who can manage the encryption in VMware. It isn’t
necessary, or even advisable, to grant encryption
privileges to every VM administrator. Restricting this

Key Management:
the disk files, snapshots, swap critical function enhances your security posture.
files, and dumps are all protected.
A few remaining configuration
and log files are not encrypted,
because they aren’t sensitive or
don’t support operations that have to execute the
“Encrypting VMs relies
encryption status of the disks. VMware does report on keys, so you need to
some minimal overhead from deploying decryption
operations. However, if performance remains a
concern, running it on servers that support AES-NI Secure Communic
have and encryption key
manager (software or
instructions speeds up the encryption process.
hardware) when using VM
When encrypting VMs on vMotion, a random one-
time key is generated and sent to the hosts involved encryption. Without keys,
in the vMotion process. In this case, it’s not the
network that’s protected, but the VM itself. As a result,
encrypted VM files cannot
snooping is not possible. Further, certificates are be read or executed.”
Logging:
not required, and users don’t need to worry about
network settings. Encrypted VMs require encrypted
vMotion, but you can use encrypted vMotion, even on
unencrypted VMs. To ensure high availability, VMware
uses automatic failover for key management through
the definition of vSphere KMS Clusters.

Authentication
Page 6
 COMPLIANCE & VMWARE
FOR MANY BUSINESSES, MOVING TO THE CLOUD
means storing or processing credit card numbers,
financial information, healthcare data, and other
personally identifiable information (PII) in a virtual,
shared environment. The challenge is meeting data
security requirements and preventing unwanted
access to sensitive data in an environment that is
inherently less secure. The lack of compliance and
failure to implement and execute a well-planned
security strategy may lead to a breach in security
resulting in data spillage, data compromise, loss of
data integrity, loss of customer trust, legal actions,
revenue loss, and even loss of business. Industry
and regulatory compliance standards help protect
computing assets from multiple security vulnerabilities
and misconfigurations, and minimize the risk in
execution environments, such as development, test,
and production.
With VMware, businesses that want to protect
sensitive data can use encryption and key
management to secure data, comply with industry
security standards, protect against data loss, and
help prevent data breaches. When considering
encryption options, organizations must consider both
governmental and private compliance regulations
that require them to protect sensitive information.
Most regulations require proper protection of PII.
For example, the new European Union General
Data Protection Regulation (GDPR) imposes multiple
demands upon global companies to protect the
personal data of all European Union (EU) residents.
The Payment Card Industry Data Security Standards
(PCI DSS) requires that credit card numbers be
encrypted in storage. The Health Insurance Portability
and Accountability Act and Health Information
Technology for Economic and Clinical Health Acts
(HIPAA/HITECH) require protection of Electronic
Protected Health Information (ePHI).
These are just three of the many compliance
regulations that today’s organizations must consider
in their cybersecurity programs to ensure that they
are in continual compliance with all of the relevant
regulations as they change and expand.
VMWARE AND GDPR
In response to escalating external and internal threats
and uncertainty, lawmakers and regulators around
the world have been strengthening their data security
compliance requirements, implementing new legal
frameworks and levying higher noncompliance
penalties. This places organizations at tremendous
risk for compliance violations, along with the resulting
fines and remediation costs. On May 25th, 2018, the
European Union made securing citizens’ data an
even bigger challenge for companies doing business
that involves handling their citizens’ data. That was
launch day for the new European Union General Data
Protection Regulation (GDPR),
GDPR has sharper teeth than any other compliance
regulation to date. With tighter controls and higher
penalties, the new law is poised to enforce data
protection beyond the limits of any other compliance
Page 7
 COMPLIANCE & VMWARE (CONT)
regulation. This will permanently impact the way
organizations handle consumer data. While other
regulations, like PCI DSS and HIPAA, have expanded
their rules and enforcement in recent years, it’s likely
that GDPR will set a new standard — one that other
regulatory bodies will be inspired or compelled to
follow. As such, meeting privacy and data residency
requirement can become an enormous burden for
global enterprises working in EU countries.
The GDPR attempts to unify
data protection laws in Europe
and ensure that citizens’
rights and protections have
a global impact. One area
of concern for EU countries, among many, is the fact
that U.S.-based cloud vendors can be subpoenaed
by U.S. governments to provide access to specific
information, even if it resides outside of the U.S. With
this regulation, every organization will be forced to
comply or face penalties, including damaging fines
and even losing the opportunity to work within the
EU. Specifically, the GDPR’s “right to be forgotten”
rule provides individuals with specific rights to control
the processing of their personal data and sets a new
standard for protection of an individual’s personal
data. Among the EU regulations is the rule that all
customer and employee data must not be accessible
to anyone outside of their home legal jurisdiction,
except when given explicit consent on a per usage
basis.
VMware Cloud on AWS has been independently
verified by Schellman & Company, LLC, to comply
with the GDPR. In the language of the GDPR, when
providing services to its customers via the VMware
Cloud on AWS service offering, VMware is acting as
a “data processor.” VMware’s customers may perform
customer-defined data processing activities in relation
to their own data within the services and, in doing so,
act as “data controllers.” Data controllers may only
appoint data processors
who provide sufficient
guarantees to implement
appropriate technical and
organizational measures to
ensure processing meets
GDPR’s requirements. GDPR also requires resilient
and recoverable architectures to prevent unavailability
of data. To support this directive, key managers should
implement HA services to ensure high availability.
Encryption and key management can help meet
GDPR’s privacy requirements, as well as citizens’
right of erasure (right to be forgotten). While the EU
does not mandate that all organizations encrypt
sensitive data, there is an exclusion for subject data
breach notification and financial penalties for those
organizations that use encryption and other security
methods to protect the data. Thanks to VMware’s
wide-ranging focus on security, implementing
encryption and key management tools will help users
meet requirements for GDPR.
Page 8
 COMPLIANCE & VMWARE (CONT)

VMWARE AND PCI DSS Even with this mandatory requirement, a vast
With all of the security breaches in the news and majority of organizations still struggle to maintain PCI
the occurrence of these incidents becoming more compliance, and the process is costing companies a
widespread, how can you ensure that your customers’ great deal both to address the root cause of PCI audit
credit card information remains secure? This is the failures and in, often severe, non-compliance fees.
purpose of Payment Card Industry Data Security By proactively assessing their weakness around PCI
Standard (PCI DSS), which impacts all merchants who compliance, and installing the cybersecurity solutions
accept credit cards. PCI DSS requires merchants to that can mitigate data breaches, companies will
protect sensitive cardholder ensure their own data security
information from loss, and and, therefore, compliance.
use good security practices For these reasons, VMware
to detect and protect against offers a wide range of
security breaches. The PCI cybersecurity services and
DSS is applicable to all types documentation to support and

PCI DSS COMPLIANCE

of environments that store, process, or transmit
VMware has enlisted
IS A
its
Disclaimer
help organizations secure their data. For example,
Audit Partners, such as
CONTINUOUS
cardholder data. This includes information such as
PROCESS
Coalfire, a PCI DSS-approved Qualified Security
Primary Account Numbers (PAN), as well as any other
information that has been defined as cardholder Assessor, to engage in a programmatic Toapproach
achieve PC
data by the PCI DSS v3.2. PCI DSS Section 3 outlines ASSESS regardless of
to evaluate VMware products and solutions for PCI
DSS control capabilities, and then to document
these capabilities in a set of referencecompliance fo
requirements for encryption and encryption key
management protocols. architecture
documents. or abridge the
PCI SSC is no
information co
PRODUCT APPLICABILITY REPORT
GUIDE FOR PCI DSS
whatsoever re
WorkingREMEDIATE
with Coalfire, a PCI-qualified QSA assessor
liability regard
Townsend Security Addendum to
VMware Product Applicability Guide
for Payment Card Industry Data
Security Standard (PCI DSS) version
3.0
and independent IT audit firm, we have released
our PCI DSS Product Applicability Guide.
April 2015
v1.0

Milestones
Product Applicability Guide

DOWNLOAD
The Prioritized
PCI SSC FOUNDERS high-level goa
milestones
Page 9 to
 COMPLIANCE & VMWARE (CONT)
VMware also provides customers with access to
vRealize Air Compliance, which assesses VMware
vSphere-based virtualized environments according
to specific compliance standards and risk profiles.
Some of the available standards and profiles include
multiple versions of the VMware vSphere Hardening
Guide, PCI DSS 3.2, and HIPAA technical safeguards.
Users can continuously assess their vCenter Server
instances, ESXi hosts, VMs, and distributed port
groups to ensure that they comply with the technical
controls defined in the industry standards.
From a high level, the VMware software-defined
data center (SDDC) provides software-defined
infrastructures, software-defined networking, and
management and security technologies capable of
supporting, adhering to, and/or addressing control
objectives relevant to PCI DSS to enable platform
support of cardholder data environments (CDE).
VMware EUC provides secure delivery mechanisms
for any application, to any device, anywhere. Further,
VMware’s vast network of partners provides added
value with technologies capable of being inserted
seamlessly and holistically to address additional
requirements and enhance security.
VMWARE AND HIPAA
The Health Insurance Portability and Accountability
Act and Health Information Technology for Economic
and Clinical Health Act (HIPAA/
HITECH) outlines data security
regulations for the healthcare
industry. While the HIPAA/
HITECH does not specifically require encryption of
sensitive data, a backdoor “safe harbor” mandate
states that if a healthcare organization or one of its
Business Associates (BA) does experience a data
breach, and Protected Health Information (PHI) is not
obscured using encryption or some other method,
then that organization will be heavily penalized.
This is especially important when the outcomes for
noncompliance are extremely critical due to civil
and criminal penalties imposed by the Office for
Civil Rights (OCR) Department of Health and Human
Services (HHS), and the U.S. Department of Justice
(DOJ). What’s more, there is a high probability for
collateral impact due to failure to protect patient
privacy, institutional trust, and economics. In extreme
cases of breach or data loss, the fines and penalties
are minor compared to the potential for litigation,
recompense, and public relations improvements.
Compliance with the HIPAA Security Rules and
HIPAA Privacy Rules for Electronic Protected Health
Information (ePHI) requires the use of many security
technologies and best practices to demonstrate
strong efforts towards complying with this federal
regulation. The ability to effectively secure ePHI and
audit IT and security operations may involve both
strong encryption and real-time and historical activity
logs that relate to many systems.
VMware recognizes the following as critical areas
that must be addressed by each covered entity
and BA in the operation of healthcare information
systems: security and compliance, the criticality
Page 10
 COMPLIANCE & VMWARE (CONT)

and vulnerability of the assets needed to manage

ePHI infrastructures, and the risks to which they are
exposed. This approach provides management, IT
architects, administrators, and auditors with high
degrees of transparency into risks, solutions, and “With VMware,
mitigation strategies for moving critical applications
to the cloud in secure and compliant ways. By
businesses that want to
standardizing an approach to compliance and protect sensitive data can
expanding the approach to include partners, VMware
provides its customers a proven solution that more use encryption and key
fully addresses their compliance needs.
management to secure
Organizations can reduce the complexity and data, comply with industry
cost of HIPAA Security Rule compliance by
replacing traditional non-integrated products security standards, protect
with integrated solutions. To further address this
against data loss, and help
prevent data breaches.”
gap, VMware, together with the VMware partner
ecosystem delivers compliance-oriented integrated
solutions, enabling compliance by automating the
deployment, provisioning, and operation of regulated
environments. In this way, VMware provides the
solution reference architecture, HIPAA Security
Rule specific guidance, and software solutions that
businesses require to achieve continuous compliance,
along with speed, efficiency, and agility for their
applications.

Page 11
 SECURITY BEYOND COMPLIANCE
ALONG WITH REGULATORY COMPLIANCE, THERE
are many other reasons to optimize data security
in VMware — including intellectual property and
reputation protection.
INTELLECTUAL PROPERTY
PROTECTION (IP)
Knowledge assets are defined as confidential
information critical to the development, performance,
and marketing of a company’s core business. IP
protection covers a wide variety of corporate capital,
including business plans, trade secrets, creative
work products (design, development, and pricing),
proprietary software or hardware, and competitively
valuable or other important information of or about
customers, including customer profiles and databases.
Hackers, competitors, and nation states are all
potential IP thieves. A study on cybersecurity risks to
knowledge assets found that 82 percent of companies
have failed to detect a breach involving their IP. The
study also found dramatic increases in both threats
and awareness of threats to these “crown jewels,”
as well as dramatic improvements in addressing the
threats by the highest-performing organizations.
REPUTATION PROTECTION
A study sponsored by VMware and conducted by
The Economist Intelligence Unit (EIU) found that
reputational risk was C-suite executives’ greatest
cybersecurity concern. A company or organization’s
brand is the most valuable asset, because it touches
all aspects of the enterprise, including growth and
revenue. Further, the negative perception extends to
a company’s products and services. Cyber attacks are
also damaging to a company’s reputation, because
it is not contained to the company itself — attacks
also expose customers to the risk of identity theft or
financial losses. Brand reputation is a fragile asset
that, when compromised, is not easy to fix. It can take
decades to build your reputation and consumer trust.
COMPONENTS OF A VMWARE
ENCRYPTION STRATEGY
The most effective way to secure data and ensure
a company’s integrity is to deploy encryption. For
any encryption deployment, there are two major
components:
1. Encryption of the sensitive data, usually in a
Windows or Linux VM
2. Protection of the encryption keys through
robust key management solutions
An effective strategy in the VMware environment has
to address both of these components. The following
section overviews the components so a VMware
encryption strategy.
vSphere VM encryption enables creation of encrypted
VMs and encrypts existing VMs, along with virtual
disks, and host core dump files. Because all VM files
that contain sensitive information are encrypted,
the entire VM is protected. Only administrators with
Page 12
 SECURITY BEYOND COMPLIANCE
encryption privileges can perform encryption and
decryption tasks. Some files associated with a VM are
not encrypted or are partially encrypted, because they
don’t contain sensitive information, including log, VM
configuration, and virtual disk descriptor files.
Three major components are used for encryption in a
VMware Key Management Server, a VMware vCenter
Server®, and ESXi Hosts.
KEY MANAGEMENT SERVER
(KMS)
Encryption key management is the method used
to protect and manage your encryption keys. The
vCenter Server instance requests keys from an
external KMS. The KMS generates and stores key
encryption keys KEKs and passes them to the vCenter
Server instance for distribution. As a Key Management
Interoperability Protocol (KMIP) client, the vCenter
Server system uses that protocol to facilitate use of
the chosen KMS.
VMWARE VCENTER SERVER®
The vCenter Server instance obtains keys from the
KMS and transfers them to the ESXi hosts. It does not
store or persist the KMS keys, but keeps a list of key
IDs. The vCenter Server system checks the privileges
of users who perform cryptographic operations.
VMware vSphere Web Client assigns cryptographic
operation privileges and limits the users who can
perform these operations. The vCenter Server system
adds cryptography events to the list of events that can
be viewed and exported from the vSphere Web Client
event console. Each event includes the user, time, key
ID, and cryptographic operation.
ESXI HOSTS
The ESXi host is responsible for several aspects of the
encryption workflow:
• Performs the encryption of VM disks
• Ensures that guest data for encrypted VMs is
not sent over the network without encryption
Encryption is performed by the industry-standard
OpenSSL libraries and algorithms. VM encryption does
not impose any new hardware requirements, but uses
a processor that supports the AES-NI instruction set to
accelerate encryption and decryption operations if the
Intel AES-NI hardware facility is not present, thereby,
providing better performance.
“The most effective way
to secure data and ensure
a company’s integrity is to
deploy encryption.”
Page 13
 NIST STANDARD AES ENCRYPTION
WHEN EVALUATING YOUR VM SOLUTION
alongside your encryption key management solution,
it’s important to look for certain certifications and
validations. One of these is from National Institute
of Standards and Technology (NIST): NIST FIPS-197
validates AES encryption. VMware encrypts and
decrypts according to NIST-validation. It also manages
encryption keys according to NIST guidelines.
ENCRYPTION KEY MANAGEMENT
As defined by NIST, key management is the method
in which a user protects encryption keys, manages
the entire key lifecycle, distributes encryption keys,
and implements additional layers of security to protect
keys and limit user access. In the NIST guidelines,
enterprise encryption key management includes both
technological and policy-based controls, integrated
to provide the highest level of security around an
organization’s encryption keys. Certifications and
validations from NIST include SP-800-57, SP-800-
130, and FIPS 140-2. NIST SP-800-57 provides
recommendations for key management. SP-800-130
provides a framework for designing cryptographic key
management systems.
FIPS 140-2 certification ensures that the key
management software has been tested by third
parties to meet the highest standards in key
management technology, so you can establish
strong key management. VMware OpenSSL FIPS
Object Module meets the security requirements of
Federal Information Processing Standards (FIPS)
Publication 140-2, which details the U.S. and Canadian
Government requirements for cryptographic modules.
For VMware customers, FIPS 140-2 compliant
encryption and key management are a key defense
for data security.
CONTINUOUS MONITORING
Recognizing that each organization must take
responsibility for its data no matter where it resides,
the NIST standard calls for continuous monitoring
of key management. This requires organizations to
continuously monitor their environments to ensure
their infrastructure, applications, and data remain in a
secure state. VMware’s security functionality supports
continuous monitoring.
AUDITING
The NIST standard calls for auditing to bring
transparency to security operations. Your key
management solution needs to support active
collection and monitoring of audit and OS logs. The
logs should integrate with your log collection and
SIEM active monitoring systems. Built-in logging
allows administrators to track all key retrieval, key
management, and systems activity. In VMware,
reports can be sent automatically to a central log
management database or SIEM products for a timely
and permanent record of activity. A KMS should audit
all administrative and user functions, including both
successful and failed operations, for security-relevant
events. This includes detecting and recording the
events, date and time of the events, and the identity or
role of the entity initiating the events.
Page 14
 ENCRYPTION KEY MANAGEMENT
ONCE DATA IS ENCRYPTED, YOUR PRIVATE
information depends on enterprise-level key
management to keep that data safe. Without key
management, encryption stands alone as only half of
a solution. When you leave the keys to unlock your
sensitive business and customer data exposed, then
you expose your entire organization to the risk of data
loss or theft. Encryption key management involves
administering the full lifecycle of cryptographic keys
and protecting them from loss or misuse. Protection
of the encryption keys includes limiting access to
the keys physically, logically, and through user/role
access.
ENCRYPTION KEY LIFECYCLE
A critical administrative component to encryption key
management is the ability to manage the complete
encryption key lifecycle. NIST defines all stages
of a key’s lifecyle, including key generation, pre-
activation, activation, distribution, revocation, post-
Expiration
Activation Post-Activation
Encryption
Pre-Activation Key Escrow
Lifecycle
Key Generation Destruction
activation, backup, escrow, and deletion. Through an
administrative console, security administrators should
be able to implement controls that allow access to
keys by designating key users or user groups. They
should also be able to set automatic key rotation
policies, so that keys are retired and rolled over after
any period of time. These controls help organizations
meet data security requirements for some regulated
industries. For example, the PCI DSS outlines key
management requirements for cardholders or
processors that can typically only be met using an
enterprise-level encryption key management solution.
POLICY-BASED CONTROLS
Beyond managing the key lifecycle, a key manager
should actively audit and log all activity and functions
performed on the server, and record these logs to
an external event monitoring or logging server so
that malicious activity can be detected in real time.
Your key management solution should be compatible
with common event-monitoring solutions and export
logs in standardized formats in real time. Also, your
key management solution should inherently enforce
policy-based security functions that meet key
management best practices such as separation of
duties and dual control.
SEPARATION OF DUTIES
Separation of duties ensures that no single person
controls multiple key management procedures and
subsequent distribution of an encryption key. The
person requesting the key and the person managing
the key should be two different people. Dual control
prevents any single person from controlling a key
management process. For example, two security
administrators should be required to authenticate
Page 15
 ENCRYPTION KEY MANAGEMENT (CONT)

access to the key server. While these policy-based

controls are sometimes optional, they should always
be available and easy to implement in your encryption
key management solution.

BEST PRACTICES FOR KEY

PROTECTION
There are several key management best practices
that will ensure optimal key management performance
“When you leave the keys
and enforcement. On a technological and physical to unlock your sensitive
level, encryption keys should be stored in a logically
or physically separate hardware or virtual key server, business and customer
dedicated to performing only key management
activities. The key manager should house a FIPS
data exposed, then
140-2 validated pseudo-random number generator you expose your entire
to create new keys and store those keys in a
secure key database. Once generated and in use, organization to the risk of
encryption keys should be distributed for use over a
secure Transport Layer Security (TLS) session using
data loss or theft.”
certificates to authenticate the user requesting the
encryption key.

Also, enterprise key managers should perform

real-time backup and high availability functions to
prevent downtime and ensure business continuity.
To accomplish this, each key server should perform
active-active mirroring to one or more high availability
servers as well as perform routine, automated
backups to secure storage drives.

Page 16
 ADDITIONAL KEY MANAGEMENT
STANDARDS AND VALIDATIONS
KEY MANAGEMENT key manager or through the use of an external KMIP-
compliant key manager.
INTEROPERABILITY PROTOCOL
(KMIP)
VMware allows users to manage encryption keys
using a third-party key management vendor through
PCI DATA SECURITY STANDARD
a standard key management protocol called the KMIP. (PCI DSS)
All of VMware’s KMS As mentioned earlier, VMware meets the standards
Certification tests of the PCI DSS, which was developed to encourage
contained in KMS and enhance cardholder data security and facilitate
plug-ins verify that the the broad adoption of consistent data security
vendor’s KMIP KMS measures globally. For VMware users who need to
works with vSphere storage encryption feature and meet compliance, Alliance Key Manager has been
vSAN virtual disk. Testing consists of verifying correct validated for PCI DSS in VMware by Coalfire, a PCI-
behavior of a KMS, ensuring that it does not introduce qualified QSA assessor and independent IT and audit
undesirable impacts on the operation of the system. firm. Additionally, Alliance Key Manager for VMware
VMware supports two types of KMIP: can also help businesses meet other compliance
• Switch-Based Encryption — With this regulations such as HIPAA, GLBA/FFIEC, FISMA, etc.
method, the data leaves the host and travels in the
clear until it reaches a switch, which then performs
the encryption before sending the data on to the
storage array. The switch might be a Fibre Channel
switch or, in the case of NFS, a network switch. The
switch typically also integrates with an external, KMIP-
compliant key manager.
• Array-Based Encryption — With array-based
encryption, the controller in a storage array encrypts
the data as it is written to the disks. Encryption can be
performed via custom application-specific integrated
circuits (ASICs) in hardware or software. In both cases,
key management can be achieved via an onboard

Page 17
 CRITICAL INFRASTRUCTURE
WITH ALLIANCE KEY MANAGER, WE HAVE DONE
a lot to help companies deal with the concern about
resilience of a key manager, because it is critical
infrastructure including the following:
or a hybrid of the two. If you have a failed server, a
hardware problem, or network outage, you should be
able to define fail-over servers and that will take place
in real time.

HARDWARE AND SOFTWARE Alliance Key Manager fully supports resilience through
real-time mirroring. It is not an operating OS feature.
RESILIENCE
The key server itself has implemented this mirroring
If you are properly protecting keys, an encryption
capability. It is itself self-healing. So if two key servers
key management solution becomes a part of your
are mirroring to each other and the network goes
critical infrastructure. But if your key manager goes
down, they will queue up those mirroring transactions,
down, your applications stop functioning until you
and when the network comes back, it will re-commit
have key management back up. Alliance Key Manager
those changes. Alliance Key Manager is a robust
addresses those concerns in a number of ways. One
facility for making sure you have good backups of
way is that the key manager is built for redundancy.
your encryption keys.
We know that hardware it can fail, so we implement
a hardware platform that is resilient and has a lot
of redundancy built in. As such, the first layer of ACTIVE MONITORING
keeping an encryption key manager up and running Active monitoring is one of the core security
consistently is to have a good hardware platform or recommendations to help prevent unauthorized
run in the cloud. access to sensitive systems and information. It
is a requirement of a wide variety of compliance
regulations such as PCI-DSS, HIPAA/HITECH Act,
BACKUP/RECOVERY, HIGH
and many others. From a security perspective, active
AVAILABILITY, AND MIRRORING monitoring makes it into the SANS Top 20 list of things
Real-time mirroring of keys and policy around keys is
you should do, and is a key recommendation from the
critical for high availability and recovery. It is important
US Cyber Security teams.
for key management servers to mirror keys between
multiple key managers over a secure and mutually
authenticated TLS connection for hot backup and
disaster recovery support. Organizations can choose
to mirror key managers on-premises, in the cloud,

Page 18
 KEY MANAGER PLATFORMS

VMWARE Tamper Proof: complete hardening of the module

VMware vSphere 6.5 introduced policy-based
encryption, which simplifies the security management
of VMs across large-scale infrastructure, as each
object no longer requires individual key management.
With vSphere VM encryption, you can create
encrypted VMs and encrypt existing ones. Because all
VM files with sensitive information are encrypted, the
VM is protected. Only administrators with encryption
privileges can perform encryption and decryption
tasks.
HARDWARE SECURITY MODULES
with tamper evident/resistant screws and locks along
with the highest sensitivity to “tamper detection/
response circuitry” that wipes out all sensitive data
CLOUD
As more and more enterprise operations move into
virtual and cloud environments, they face multi-
tenancy challenges and security issues. VMware
customers benefit from many operational and cost
efficiencies provided by VMware virtualization
technologies both in traditional IT infrastructure and in
cloud environments.

(HSMS)
Since VMware vSphere encryption is Key
Management Interoperability Protocol (KMIP) WHITE PAPER:
compliant, any HSM that conforms to KMIP should be Securing Data in VMware with
able to effectively manage the keys. Any HSM that you Encryption & Key Management
consider should be FIPS 140-2 compliant. Additionally,
you should understand your current level of risk White Paper

and the regulations that you need to comply with,

and purchase the level of security that you will likely SECURING DATA
need to manage your risk or comply with regulations. MONGODB
IN VMWARE WITH
WHITE PAPER
ENCRYPTION & KEY
Here are the three levels of security that an HSM can MANAGEMENT
provide:
Tamper Evident: adding tamper-evident coatings or
seals on screws or locks on all removable covers or
www.townsendsecurity.com

doors 724 Columbia Street NW, Suite 400 • Olympia, WA 98501 • 360.359.4400 • 800.357.1019 • fax 360.357.9047 • www.townsendsecurity.com

Tamper Resistant: adding “tamper detection/

response circuitry” that wipes out all sensitive data DOWNLOAD
such as DEKs and KEKs

Page 19
 DEPLOYING KEY MANAGEMENT
1. IDENTIFY AND DOCUMENT TRUSTED AND UN-TRUSTED APPLICATIONS
Properly identifying application groups based on the level of trust is critical for a secure implementation of
virtualized applications and encryption key management services.

2. RESTRICT PHYSICAL ACCESS

Fundamental to all IT security implementations is proper security of the physical environment. This means
proper physical security controls and data center monitoring, as well as robust auditing and procedural controls.
These physical controls should also apply to VMware management and security applications access.

3. ISOLATE SECURITY FUNCTIONS

Because security applications are often a target of cyber-criminals, you should isolate them into their own
security workgroup and implement the highest level of VMware security. Only trusted VMware administrators
should have access rights to the encryption key management solution, system logs, and audit reports. Actively
monitor access to and use of all encryption key management, key retrieval, and encryption services.

4. CHANGE VMWARE DEFAULT PASSWORDS

Review all VMware applications used to secure and manage your VMware environment and change the default
passwords as recommended by VMware. Failure to change default passwords is one of the most common
causes of security breaches.

5. IMPLEMENT NETWORK SEGMENTATION

You should implement network segmentation to isolate applications that process sensitive information from
applications that do not require as high a level of trust. Additionally, you should provide network segmentation
for all third-party security applications, such as your encryption and key management solution. Network
segmentation is easy to accomplish with VMware network management and security applications. Do not rely
on virtual network segmentation alone; use firewalls that are capable of properly securing virtual networks.

6. IMPLEMENT NETWORK SEGMENTATION

VMware management and security applications provide for a high level of security and monitoring. They also
include hooks and integration with third-party security applications that provide system log collection, active
monitoring, intrusion detection, etc.

7. MONITOR VMWARE ADMIN ACTIVITY

Use an appropriate SIEM solution to collect VMware application and ESXi hypervisor system logs and perform
active monitoring. The log collection and SIEM active monitoring solutions should be isolated into a security
workgroup that contains other third-party security applications, such as Townsend Security’s Alliance Key
Manager.

Page 20
 SECURING A KEY MANAGEMENT VM
ENCRYPTION KEYS FOR VSAN
vSAN can perform data-at-rest encryption. You can
use VMware data-at-rest encryption to protect data
in your vSAN cluster. Data is encrypted after all other
processing, such as deduplication, is performed. Data-
at-rest encryption protects data on storage devices in
case a device is removed from the cluster. When you
enable encryption, vSAN encrypts everything in the
vSAN datastore. Only administrators with encryption
privileges can perform encryption and decryption
tasks.
ENCRYPTING VIRTUAL DISK
Using encryption on your vSAN cluster requires some
preparation. After your environment is set up, you
can enable encryption on your vSAN cluster. vSAN
encryption requires an external KMS, the vCenter
Server system, and your ESXi hosts. vCenter Server
requests encryption keys from an external KMS. The
KMS generates and stores the keys, and the vCenter
Server obtains keys from an external KMS. The KMS
generates and stores the keys, and vCenter Server
obtains the key IDs from the KMS and distributes them
to the ESXi hosts. vCenter Server does not store the
KMS keys, but keeps a list of key IDs.
CONFIGURATION
You can enable encryption by editing the configuration
parameters of an existing vSAN cluster.
BENEFITS OVER SELF-ENCRYPTING DRIVES
vSphere VM encryption offers advantages over other
methods, such as Self-Encrypting Drives (SEDs). They
are disk-based encryption with data encrypted at
the storage level using integrated hardware and an
individual media encryption key (MEK), which is in
turn encrypted with a KEK. KEKs are required for the
encryption to work and must be managed individually
unless an external key manager is used.
KMIP INTERFACE
As a KMS client, vCenter Server uses the KMIP
interface and makes it easy to use the KMS of your
choice. The KMIP standard defines the following states
for keys: pre-active, active, deactivated, compromised,
destroyed, and destroyed compromised.
“Only administrators with
encryption privileges can
perform encryption and
decryption tasks.”
Page 21
 ENCRYPTION KEYS FOR APPLICATIONS
THE IDEAL KEY MANAGEMENT SOLUTION
provides high availability, standards-based enterprise
encryption key management to a wide range of
applications and databases.
MICROSOFT SQL SERVER
Data can by encrypted in a SQL Server database.
In standard edition, you’ll need to encrypt at the
application level. In enterprise edition, SQL Server
has Transparent Data Encryption (TDE), Extensible
Key Manager (EKM), and Cell Level Encryption (CLE).
Townsend Security has an EKM provider. You need
two things: A key management solution to protect the
critical encryption keys, and an encryption solution
for the SQL Server database. And they have to talk to
each other. For the first part, the Alliance Key Manager
for VMware solution provides a fully functional,
enterprise key management solution that protects
SQL Server databases as well as other databases and
other OSs. For encrypting SQL Server, the Alliance
Key Manager solution comes with a full Microsoft SQL
Server Extensible Key Management Provider, called
the Key Connection for SQL Server. It’s a module
that our key management customers receive without
paying additional license fees. Key Connection for
SQL Server provides the encryption and integration
with the key server to provide a complete end-to-
end solution for encrypting data in the SQL Server
database.
MONGODB
MongoDB offers AES encryption as part of the
WiredTiger Storage Engine in the Enterprise edition
of their offering. There are two options for storing
encryption keys: In the database, in the clear; Or by
using KMIP and a key manager. Alliance Key Manager
is certified by MongoDB for use with the MongoDB
Enterprise database.
DRUPAL
There is no native encryption in Drupal. Users need to
install modules, such as Key, Encrypt, and Townsend
Security’s Key Connection For Drupal to encrypt
private data in Drupal.
WINDOWS IIS
Encryption needs to be done at the application level.
This can be facilitated through the use of the Alliance
Key Management Windows .NET SDK.
SOFTWARE DEVELOPER KITS
(SDKS)
Encryption needs to be done at the application level.
This can be facilitated through the use of the Alliance
Key Management Windows .NET SDK.
JAVA, .NET, PHP, PYTHON, PERL, ETC.
VMware offers release notes, developer guides, API
references, and other documentation for current and
past versions of API and SDK sets. Businesses who
Page 22
 ENCRYPTION KEYS FOR APPLICATIONS (CONT)

aren’t able or don’t want to encrypt at the database

level have options to encrypt at the application level.
Good key management vendors (such as Townsend
Security) offer SDKs and sample code to make
“Townsend Security
encryption at the application level easy. collaborates with
WINDOWS developers and IT
Alliance Key Manager protects Windows .NET Client
software with encryption and key management for
professionals around
applications. You can add the Windows .NET Client the world. We know that
Assembly to your Windows projects to encrypt data at
the application level. developers use a wide
LINUX
variety of languages and
Linux applications use a variety of database and platforms to accomplish
their work.”
storage methods that include MySQL, MongoDB,
PostgreSQL, Amazon S3 and RDS, and many others.
Like any application deployed on any operating
system and storage mechanism, Linux applications
need to protect sensitive data at rest using strong
encryption.

Page 23
 HYBRID DEPLOYMENTS
GOOD KEY MANAGEMENT SOLUTIONS SHOULD private cloud workloads on which applications and
be able to mirror in hybrid environments, such as data live, thereby, shrinking the attack surface for
VMware to cloud. your digital enterprise. To address these problems,
organizations need to fundamentally transform
the way they secure the application infrastructure.
CLOUD VMware uses a complete portfolio of solutions that
As enterprises adopt Public and Private clouds, they
enable IT to deploy a virtualized platform, which
bring their sensitive data with them – customer names,
abstracts their infrastructure from the applications
email addresses, and other PII. While compliance
running on top of it — whether that infrastructure is on-
regulations require protecting this information,
premises or in the public cloud. With VMware vSphere
encrypting this data has been a challenge for
and VMware NSX, organizations can take advantage
organizations that want the flexibility and security
of flexible, robust virtualization platforms to support
of a native VMware solution. By deploying Alliance
their new and existing apps — without compromising
Key Manager for VMware as a vCloud instance,
security and compliance. VMware vRealize Network
customers can achieve their security and efficiency
Insight enhances their capabilities through enterprise-
goals in a cloud environment. Alliance Key Manager
ready cloud management for additional visibility and
for VMware will make the migration easy. Alliance
protection.
Key Manager for AWS secures private information in
databases and applications, including MS SQL Server,
Oracle databases, and Drupal. It protects data in
Amazon RDS, Amazon S3, Amazon EBS, and Amazon
DynamoDB. VMware has established partnerships with
AWS and vCloud. Further, Alliance Key Manager for
VMware can provide key management for applications
and also for vSphere and vSAN in the AWS platform.

WEB SERVERS - VSPHERE

See vSphere discussion below.

WEB APPLICATIONS
VMware delivers intrinsic security by architecting
security directly into the networks and public and

Page 24
 BUSINESS BENEFITS
ORGANIZATIONS GAIN SIGNIFICANT BENEFITS mode of operation, and more. This helps meet
from keeping their encryption keys protected regulations and industry guidelines, measures, and
including, but not limited to, the following: controls.

REDUCED ADMINISTRATION OF
CRITICAL SECRETS MORE INFORMATION
Controlling everything from one place is the most
simple and efficient way to manage encryption. A
centralized and granular key management policy WEBINAR:
can enable seamless updates for all necessary
cryptographic functions without any changes in
SECURING DATA
the application code. Implementing centralized IN VMWARE WITH
policy enforcement where the system collects all ENCRYPTION & KEY
relevant information in a single place for easy audit
and in human-readable form makes demonstration
MANAGEMENT
of compliance with internal and external policies a
straightforward task. Among other benefits, is reduced
administration of enterprise IP.

IMPROVED SECURITY
Robust key management with centralized controls
lower an organization’s overall security risks by, for
example, reducing the risk of human errors and better
controls administrators’ access permissions.

IMPROVED GOVERNANCE, RISK

MANAGEMENT, & COMPLIANCE
Robust key management allows organizations to VIEW WEBINAR
improve data security governance by restricting
access to cryptographic functions and enforcing
policies on functions such as key length, rotation,

Page 25
 CHALLENGES IN VMWARE
VM ENCRYPTION OFFERS SEVERAL ADVANTAGES
compared to other encryption methods, but it might
not be a great fit for every workload. When weighing
whether to encrypt or not, you’ll want to consider a
few limitations, caveats, and performance issues first.

CROSS-PLATFORM
COMPATIBILITY
vSphere Virtual Machine Encryption has some
“When weighing whether
limitations regarding devices and features that to encrypt or not, you’ll
it can interoperate with in vSphere 6.5 and later
releases. Also, you cannot perform certain tasks on
want to consider a few
an encrypted VM. Further, VMware tools address only limitations, caveats, and
performance issues first.”
VMware issues.

COSTS AND LICENSING

Investing in VMware and licensing is a significant
investment and may be cost-prohibitive for many
organizations.

COMPLEXITY
VMware is complex and requires either experienced
internal employees or potentially expensive
outsourced services to manage and operate.

APPLICATIONS
There is some application incompatibility that needs to
be acknowledged by each organization.

SDKS
VMware’s SDKs may not cover every need of every
enterprise.

Page 26
 VENDOR CONSIDERATIONS
GENERALLY, THE CONSIDERATIONS FOR some operational and technical training from your
sourcing encryption key management solutions for encryption and key management vendor. Gone are
VMware will be similar to any relationship you develop the days when this meant a lot of on-site educational
with a vendor. expense. Modern encryption and key management
solutions may require only a few hours of coaching
and training to deploy and maintain. Be sure your
LICENSING encryption and key management vendor has a
Vendors take a variety of approaches to licensing
program to deliver training in a timely fashion.
their key management solution. The main difference
is in licensing constraints on the VMware side. You
may start your first VMware encryption project with a
CUSTOMER SUPPORT
Many businesses have devalued their customer
rather limited scope. But as you continue to encrypt
support experience, which can be a problem for all
more sensitive data you may need to scale. Some
key manager users. When you have a problem with
encryption key management vendors license software
encryption or key management, it’s likely to affect your
based on the number of VMware instances that you
application service levels. Before acquiring your key
place under protection. Others provide unlimited
management solution be sure to schedule time with
numbers of client-side licenses after you acquire the
the customer support group. Do they have a formal
key manager. Be sure you understand the licensing
problem tracking system? Do you have access to all
terms of each solution you evaluate, and be sure to
problem tickets you raise? Does the customer support
understand your long-term needs.
group respond in a timely fashion? Is there a 24/7
response number? All of the normal customer support
DOCUMENTATION questions you might ask are relevant to a VMware
Documentation on your VMware implementation
key management solution. We all know what really
will be crucial for long-term success. In addition to
bad customer support looks like, so be sure there is a
documentation on the installation and configuration,
good team standing behind the solution you deploy.
be sure your vendor provides documentation on
key rotation, applying patches to the key manager,
upgrading the key manager to new versions, and SERVICES
The modern enterprise is often geographically
problem determination. All of these aspects should be
distributed, which can make deployment and training
covered in vendor documentation.
difficult. While VMware encryption key management
solutions can be simple to deploy and configure, you
TRAINING may want to be sure your vendor can send staff on-
While key management solutions have become much
site for support.
simpler over time, you should still expect to receive

Page 27
 SUMMARY
VMWARE VIRTUALIZATION HAS BEEN A GAME-
changing technology for IT, providing efficiencies and
capabilities that have previously been impossible for
organizations constrained within traditional IT data
center worlds. With VMware, organizations are able
to reduce hardware costs, lower operational cost,
and gain a clear a path to move to the cloud. With
the addition of encryption, you can deploy secure
environments where there is less risk of data loss in
the event of a breach.
The Alliance Key Manager client-side applications,
software libraries, and SDKs fully integrate with
Alliance Key Manager for key protection, and
work naturally with your SQL Server, MongoDB,
Windows, and Linux VMware VMs. The solution offers
unparalleled security, flexibility, and affordability for all
users of VMware Enterprise database. With no client-
side software to install, customers can deploy Alliance
Key Manager and install the PKI certificates on the
database server to easily begin retrieving encryption
keys.
By deploying as a virtualized encryption key manager,
enterprises are able to reduce hardware costs, lower
operational costs, minimize the IT footprint, and a
clear path for a future move to the cloud. Using the
same FIPS 140-2 compliant technology that is in our
HSM and in use by over 3,000 customers, Townsend
Security’s Alliance Key Manager for VMware brings
a proven and mature encryption key management
solution to VMware environments with a lower total
cost of ownership.
The solution is available as a HSM, VMware instance,
and in the cloud (Amazon Web Services, Microsoft
Azure, and VMware vCloud), allowing organizations
to meet compliance requirements (PCI DSS, HIPAA,
GDPR, etc.) and security best practices. Townsend
Security offers a 30-day, fully-functional evaluation of
Alliance Key Manager.
SUPPORTED VERSIONS OF
VMWARE
Alliance Key Manager for VMware supports VMware
ESX, VMware vSphere (ESXi), vSAN, and vCloud.
VMWARE TECHNOLOGY
ALLIANCE PARTNER
Townsend Security is an Advanced
tier VMware Technology Alliance
Partner (TAP) and Alliance Key
Manager for VMware has achieved
VMware Ready status, and vSphere DATA CENTER
and vSAN certification. This
designation indicates that after a detailed validation
process Alliance Key Manager for VMware has
achieved VMware’s highest level of endorsement.
Page 28
 ALLIANCE KEY MANAGER

“A very cost effective solution

in terms of performance,
manageability, security, and 30-DAY EVALUATION
availability.  As a result, my company
was quickly able to implement full
database encryption leveraging
the AKM as our key management
solution in weeks.  Comparable
ALLIANCE
solutions could have taken months.” KEY MANAGER
- CERTAIN

TOWNSEND SECURITY IS HELPING VMWARE

customers secure their sensitive data with Alliance
Key Manager. The solution offers unparalleled security, • FIPS 140-2 and KMIP compliant
flexibility and affordability for all users of VMware. With enterprise key manager
no client-side software to install, customers can de- • Available as an HSM, VMware, or in
ploy Alliance Key Manager and easily begin retrieving the cloud (AWS, Microsoft Azure)
encryption keys.
• Affordably priced, with no
restrictions on server connections
Alliance Key Manager is FIPS 140-2 compliant and or client side applications
in use by over 3,000 organizations worldwide. The
• Meet compliance regulations like
solution is available in VMware, as a hardware se-
PCI DSS, HIPAA, GDPR, and more
curity module (HSM), and in the cloud (Amazon Web
Services, Microsoft Azure, and VMware vCloud).
Townsend Security offers a 30-day, fully-functional
evaluation of Alliance Key Manager.

REQUEST EVALUATION

Page 29
 ABOUT TOWNSEND SECURITY

“Townsend is a full service security

provider that remains on the cutting
edge and has demonstrated
exceptional customer service.”
- CSU FRESNO

TOWNSEND SECURITY CREATES DATA PRIVACY

solutions that help organizations meet evolving
compliance requirements and mitigate the risk of data
breaches and cyber-attacks. Over 3,000 organizations
worldwide trust Townsend Security’s NIST and FIPS
140-2 compliant solutions to meet the encryption and
key management requirements in PCI DSS, HIPAA/
HITECH, FISMA, GLBA/FFIEC, SOX, GDPR and other
regulatory compliance requirements.

CONTACT TOWNSEND SECURITY

www.townsendsecurity.com
@townsendsecure

724 Columbia Street NW, Suite 400

Olympia, WA 98501

360.359.4400

Page 30