ENCRYPTION & KEY MANAGEMENT FOR VMWARE CLOUD PROVIDERS

THE DEFINITIVE GUIDE

Certified VMware Cloud Providers deliver a critical set of services and infrastructure to small and medium size organizations. They deploy, manage, secure, and backup the VMware environment for their end customers. That mix of expertise and cloud or hosting infrastructure positions them to fill an important role in the IT services industry. Customers are rightly concerned about the security of their sensitive information in VMware Virtual Machines (VMs) and Virtual SAN (vSAN) and want to be sure that this information is encrypted. The VMware platform provides the ability to encrypt VMs and vSAN, but needs the addition of an Enterprise Key Management System (KMS) to protect the encryption keys. The following sections describe the encryption implementation of VMware, the mechanism for protecting encryption keys, and the unique business challenges facing VMware Cloud Providers.

“

Page 2

Page 3

CONTENTS

Introduction 4

VMware Cloud Providers 5

VMware Encryption 6

Industry Standards 9

Customers, Clients, and Business Secrets 10

Business Continuity 12

VMware Cloud Proviers & Encryption Key Management 13

Cloud Provider Partner Program 14

Alliance Key Manager 15

About Townsend Security 16

Page 4

INTRODUCTION

THE VMWARE STORY BEGAN IN 1998 WHEN FIVE

forward-thinking technologists launched an

innovative virtualized computing solution. Shortly

thereafter, it was the first commercially successful

company to virtualize x86 architecture. Today

VMware is the recognized leader in on-premise

computing virtualization. VMware’s applications

extend across management, networking, monitoring,

administration and security. VMware’s enterprise

software hypervisor for servers, VMware ESXi, is a

bare-metal hypervisor that runs directly on server

hardware without needing an additional underlying

OS. Organizations have achieved immense cost,

security and administrative benefits through the

deployment of VMware for their IT infrastructure.

While the benefits of VMware are undeniable, the

proper deployment and management of VMware

requires specialized expertise. While reducing the

overall cost of IT hardware through virtualization,

there remains the need for hardware and data center

investment. VMware Cloud Providers are helping

customers in both areas - providing expertise and

hosted data center infrastructure.

eBook:The Definitive Guide to VMware Encryption & Key Management

DOWNLOAD

Page 5

VMWARE CLOUD PROVIDERS

VMWARE CLOUD PROVIDERS ARE SPECIALIZED

partners in the VMware partner ecosystem. Not

only do they bring expertise to the deployment and

management of VMware

in hosted and cloud

environments, but they

maintain a special partner

relationship with VMware

that involves certification and the ability to cost

effectively license VMware platforms. This special

relationship as a VMware partner must be revalidated

on a periodic basis and this helps build confidence

by end customers in their services. You can find the

Certified VMware Cloud Providers on the VMware

website.

While the number of VMware partners is quite large,

only about 180 VMware partners have achieved

VMware Cloud Verified status. You will find both small,

regional partners as well as global partners.

“While the benefits of VMware are undeniable, the proper deployment

and management of VMware requires

specialized expertise.”

Page 6

VMWARE ENCRYPTION

VMWARE VSPHERE ENCRYPTION WAS FIRST

introduced in vSphere 6.5 and vSAN 6.6; enabling

encryption of virtual machines (VMs) and disk storage

(vSAN). It only requires the vCenter vSphere Server, a

third-party Key Management Server (KMS), and ESXi

hosts to work. It implements standards-based AES

encryption, uses the open KMIP standard for the key

management interface, is highly performant, and is

easy to deploy.

In our increasingly insecure cyber world, VMware

understands the critical nature of robust security

solutions, including encryption

capabilities. We need strong

encryption and key management

solutions that run natively in our

virtual environments to meet

compliance regulations and security

best practices.

The implementation of VMware encryption and

the key management interface now span several

releases of VMware and have earned the trust of

customers and partners. If you’d like to first learn the

fundamentals of encryption and key management

before diving in, please view The Definitive Guide to

Encryption Key Management Fundamentals.

ENRYPTION OF VIRTUAL MACHINES (VMS) AND BEST PRACTICES FOR VMWARE CLOUD PROVIDERSWith vSphere 6.5 and above, you can encrypt your

customer VMs to help protect sensitive data-at-

rest and to meet compliance regulations. vSphere

encryption allows you to encrypt existing virtual

machines as well as encrypt new VMs right out of the

box. Additionally, vSphere VM encryption not only

protects your virtual machine but can also encrypt

your other associated files. Organizations typically

have mission-critical information in VMs. This means

that getting encryption and key management right the

first time is paramount.

VMware provides excellent documentation on the

configuration, deployment and best practices for

encryption. Here are a few highlights of best practices

as you deploy encryption for your customers:

• Do not encrypt any vCenter Server Appliance

VMs. These are vital to the functioning of VMware

and should never be encrypted.

• Do not edit VMX files or VMDK descriptor files

as they contain the encryption bundle information.

Any changes may make the VM unrecoverable.

• Always designate a high availability failover

key manager in your KMS cluster. If your primary

key server goes down with no failover key server

in place, your encrypted VMs will be unable to be

decrypted until the key server is recovered.

Encryption & Tokenization:

Key Management:

Secure Communications:

Logging:

Authentication

eBook

Podcast

Video

Blog

White Paper

Solution Brief/Data Sheet

Case Study

Resource Kit

Page 7

VMWARE ENCRYPTION (CONT)

• Once you name your key management server

(KMS) cluster, do not rename it. If you change the

name of the KMS cluster the ESXi host will be

unable to find the KMS and a VM that is encrypted

with a key encryption key (KEK) from that KMS will

be unable to be decrypted.

• Once you encrypt a virtual machine, you cannot

relocate the VM to a host that does not have the

key ID information. Only a ESXi host with the key

ID information for that VM can properly locate the

encryption key for decryption.

At Townsend Security, we provide additional technical

support and guidance to our VMware Cloud Provider

partners to ensure successful deployments of

encrypted VMs.

ENCRYPTION OF VIRTUAL STORAGE (VSAN) AND BEST PRACTICES FOR VMWARE CLOUD PROVIDERSVMware’s Virtual SAN (vSAN) is powerful hyper-

converged infrastructure that offers you greater

performance and high scalability. vSAN encryption is

easy to deploy but does have a few best practices

in order to avoid interruption of service. Before you

begin your vSAN encryption project, consider these

VMware best practices:

• Do not deploy your KMS server on the same

vSAN datastore that you are encrypting. This will

encrypt your key managers and in some cases

render them useless in recovery scenarios.

• Do not attempt to encrypt your witness host as

they do not contain any sensitive data. They only

contain metadata concerning other vSAN clusters

and do not need to be encrypted.

• Encryption can be CPU intensive. For vSAN

encryption on Intel hardware, make sure AES-NI

is enabled in BIOS. It can significantly improve

encryption performance.

• You should ensure that your Core dumps are

encrypted. They can contain sensitive information

such as encryption keys.

• When you decrypt a core dump, you should

handle it as if it contains sensitive information. Core

dumps may contain encryption keys either for the

vSAN host and/or the data on it.

One way that our VMware Cloud Provider partners

are helping their customers protect data is to deploy

common commercial and open source databases

on encrypted vSAN storage. PostgreSQL, MariaDB,

MongoDB Community Edition, Oracle Database and

many others can be secured at rest using encrypted

vSAN and VMware provides excellent guidance

on how to do this. Using encrypted vSAN for your

databases can help your customers avoid expensive

software upgrades.

Page 8

VMWARE ENCRYPTION (CONT)

ENCRYPTION THROUGH VIRTUAL TRUSTED PLATFORM MODULE (VTPM)Operating systems like Microsoft Windows and others

have implemented support for the Trusted Platform

Module (TPM). TPM provides additional security

to the operating system encryption support by

protecting the master encryption key in the underlying

hardware. While TPM works well in traditional server

settings it does not work well in a VMware virtualized

environment. One of the benefits of VMware is

independence from the underlying hardware, and the

ability to move workloads across hardware servers,

remote nodes and the cloud. VMware has solved the

problem with Virtual TPM (vTPM). VMware customers

can now deploy vTPM from VMware and get

encryption key protection through the same vSphere

KMS Cluster configuration used to protect VMs and

vSAN.

Because support for encrypted VMs is easy and

scalable, VMware Cloud Providers rarely need to

deploy vTPM. However, if an end customer wants

vTPM protection, it is available and fully supported

through the vSphere KMS Cluster configuration.

PRODUCT APPLICABILITY GUIDE FOR PCI DSS Working with Coalfire, a PCI-qualified QSA assessor and independent IT audit firm, we have released our PCI DSS Product Applicability Guide.

DOWNLOAD

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0

April 2015 v1.0

Product Applicability Guide

“The implementation of VMware encryption and

the key management interface now span several

releases of VMware and have earned the trust of

customers and partners.”

VMWARE USERS ARE CONCERNED WITH THE

implementation of encryption and key management.

AES ENCRYPTIONOne important standard is from National Institute

of Standards and Technology (NIST): NIST FIPS-197

which defines and validates AES

encryption. Why is verifying that

your data is secured with AES

encryption important? AES is

an internationally recognized

standard for encryption and VMware has validated

its encryption to this standard. All major compliance

regulations recognize AES encryption for protecting

sensitive data.

ENCRYPTION KEY MANAGEMENTFIPS 140-2 certification ensures that the key

management software has been tested by third

parties to meet the highest

standards in key management

technology, so you can establish

strong key management. For

VMware customers, FIPS 140-2

compliant encryption and key

management are a key defense for

data security. Proper key management is required to

implement VMware encryption.

Page 9

INDUSTRY STANDARDS

KMIPVMware allows users to manage encryption keys

using a third-party key management vendor through

a standard key management protocol called Key

Management Interoperability Protocol, or KMIP. All

of VMware’s KMS

Certification tests

contained in KMS

plug-ins verify that

the vendor’s KMIP

KMS works with the vSphere VM encryption feature

and encrypted vSAN virtual disk. Testing consists of

verifying the correct behavior of a KMS and ensuring

that it does not introduce undesirable impacts on the

operation of the system.

PODCAST:Delivering Secure VMware Hosting with Encryption and Key Management

DOWNLOAD

Page 10

VMWARE PARTNER END CUSTOMERS ARE

concerned with protecting sensitive business secrets

and meeting compliance regulations. Here are a few

of those regulations that are of concern:

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)The Health Insurance Portability and Accountability

Act and Health Information Technology for Economic

and Clinical Health Act (HIPAA/HITECH) outlines data

security regulations

for the healthcare

industry. While the

HIPAA/HITECH does

not specifically require

encryption of sensitive data, a backdoor “safe harbor”

mandate states that if a healthcare organization or

one of its Business Associates (BA) does experience a

data breach, and Protected Health Information (PHI) is

not obscured using encryption or some other method,

then that organization will be heavily penalized.

Organizations can reduce the complexity and

cost of HIPAA Security Rule compliance by

replacing traditional non-integrated products

with integrated solutions. To further address this

gap, VMware, together with the VMware partner

ecosystem delivers compliance-oriented integrated

CUSTOMERS, COMPLIANCE, & BUSINESS SECRETS

solutions, enabling compliance by automating the

deployment, provisioning, and operation of regulated

environments. In this way, VMware provides the

solution reference architecture, HIPAA Security

Rule specific guidance, and software solutions that

businesses require to achieve continuous compliance,

along with speed, efficiency, and agility for their

applications.

CALIFORNIA CONSUMER PRIVACY ACT (CCPA)If your end customers collect data on people or

households who are in California, and meet the

minimum criteria, and are not explicitly excluded,

they must meet the requirements of the new law.

Notice, this does not just apply to “California citizens”,

but people who are in the state at the time of data

collection.

You are not

exempt if your

organization

resides outside

of California. If

your customer

collects data

on people in California, they should assume they are

covered by the law. Under the CCPA the only way

to provide protection against class action lawsuits is

to encryption your sensitive data and to use proper

encryption key management.

Page 11

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)VMware meets the standards of the PCI DSS, which

was developed to encourage and enhance cardholder

data security and facilitate the broad adoption of

consistent data

security measures

globally. For

VMware users

who need to

meet compliance, Alliance Key Manager has been

validated for PCI DSS in VMware by Coalfire, a PCI-

qualified QSA assessor and independent IT and audit

firm. Additionally, Alliance Key Manager for VMware

can also help businesses meet other compliance

regulations such as CCPA, HIPAA, GLBA/FFIEC, FISMA,

etc.

VMWARE AND GDPRIn response to escalating external and internal

threats and uncertainty, lawmakers and regulators

around the world have

been strengthening their

data security compliance

requirements, implementing

new legal frameworks and

levying higher noncompliance

penalties. This places

organizations at tremendous risk for compliance

violations, along with the resulting fines and

remediation costs. On May 25th, 2018, the European

Union made securing citizens’ data an even bigger

challenge for companies doing business that involves

handling their citizens’ data. That was launch day for

the new European Union General Data Protection

Regulation (GDPR),

Encryption and key management can help meet

GDPR’s privacy requirements, as well as citizens’

right of erasure (right to be forgotten). While the EU

does not mandate that all organizations encrypt

sensitive data, there is an exclusion for subject data

breach notification and financial penalties for those

organizations that use encryption and other security

methods to protect the data. Thanks to VMware’s

wide-ranging focus on security, implementing

encryption and key management tools will help users

meet requirements for GDPR.

CUSTOMERS, COMPLIANCE, & BUSINESS SECRETS (CONT)

“When you leave the keys to unlock your sensitive business and customer

data exposed, then you expose your entire

organization to the risk of data loss or theft.”

Page 12

ONE OF THE KEY VALUES THAT VMWARE CLOUD

Providers bring to their customers is a reliable and

resilient infrastructure to protect their customer’s

ongoing operations. VMware infrastructure is crucial

to this effort and provides world-class business

continuity. This includes support for encrypted VMs

that may move across multiple vCenter nodes.

VMware partners know that a reliable and resilient key

management solution is also critical to this effort. A

key management solution should be able to meet or

exceed customer expectations for business continuity.

VMware Cloud Providers need to be able to deploy

a key management solution that provides real-time

failover and integrates with vSphere KMS Cluster

configurations.

BUSINESS CONTINUITY

DELIVERING SECURE VMWARE HOSTING WITH ENCRYPTION AND KEY MANAGEMENT Learn to meet the challenge of encryption and encryption key management with a usage-based business model that is core to hosting providers.

Delivering Secure VMware Hosting with Encryption & Key Management

A Guide for Hosting Providers and MSPs

White Paper

105 8th Avenue SE, Suite 301 • Olympia, WA 98501 • 360.359.4400 • 800.357.1019 • fax 360.357.9047

“VMware Cloud Providers need to be able to deploy a key

management solution that provides real-time failover and integrates

with vSphere KMS Cluster configurations.”

Page 13

VMWARE CLOUD PROVIDERS & ENCRYPTION KEY MANAGEMENT

AS THE LANDSCAPE FOR DELIVERING VMWARE

services rapidly changes to a new usage model,

VMware partners find themselves struggling with

traditional key management infrastructure. Legacy

key management systems involve fixed up-front

costs, annual maintenance and support contracts,

complex and rigid deployment tasks, and inflexible

infrastructure. This makes it difficult for VMware Cloud

Providers to manage costs across a growing number

of customers and to scale their businesses effectively.

Further adding to the pain is the difficulty of managing

complex customer relationships that span on-premise,

hosted, and cloud environments. Trying to deploy a

key management solution that bridges the customer

on-premise VMware environment with the VMware

partner’s cloud platform again involves complex and

expensive licensing costs. The KMS industry has

failed to keep up with this new paradigm for delivering

VMware services.

MORE INFORMATION

WEBINAR:SECURING DATA IN VMWARE WITH ENCRYPTION & KEY MANAGEMENT

VIEW WEBINAR

Page 14

VMWARE CLOUD PROVIDER PARTNER PROGRAM

THE TOWNSEND SECURITY VMWARE CLOUD

Provider partner program is designed to match the

partner’s business model with usage-based key

management and flexible deployment options that

eliminate licensing headaches, and which empowers

the VMware Cloud Provider to scale their business.

There are no upfront costs or annual fees, no annual

minimum license fees, and no restrictions on KMS

deployment in the cloud or on customer premises.

Townsend Security works with partners to design

and implement a pricing plan that matches the way

they do business. The result is a highly scalable and

predictable deployment of VMware encryption and

key management with no administrative overhead.

VMware Cloud Providers also benefit from the

ongoing certification of Townsend Security’s Alliance

Key Manager with VMware to ensure customer

confidence and easy integration. The VMware Cloud

Provider benefits from the advanced security posture

and certifications of Alliance Key Manager in a variety

of compliance environments.

Townsend Security provides key management

technology, no cost training, 24/7 technical support,

and an easy partner program with no unpleasant

surprises. It is easy to get started here.

PARTNER PROGRAM

VMWARE CLOUD PROVIDERS & MSPs:Enable Encryption for Your Customers & Win New Business

LEARN MORE

Page 15

“A very cost effective solution in terms of performance,

manageability, security, and availability. As a result, my company

was quickly able to implement full database encryption leveraging

the AKM as our key management solution in weeks. Comparable

solutions could have taken months.”- CERTAIN

TOWNSEND SECURITY IS HELPING VMWARE

customers secure their sensitive data with Alliance

Key Manager. The solution offers unparalleled security,

flexibility and affordability for all users of VMware. With

no client-side software to install, customers can de-

ploy Alliance Key Manager and easily begin retrieving

encryption keys.

Alliance Key Manager is FIPS 140-2 compliant and

in use by over 3,000 organizations worldwide. The

solution is available in VMware, as a hardware se-

curity module (HSM), and in the cloud (Amazon Web

Services, Microsoft Azure, and VMware vCloud).

Townsend Security offers a 30-day, fully-functional

evaluation of Alliance Key Manager.

30-DAY EVALUATION

ALLIANCEKEY MANAGER

REQUEST EVALUATION

• FIPS 140-2 and KMIP compliant enterprise key manager

• Available as an HSM, VMware, or in the cloud (AWS, Microsoft Azure)

• Affordably priced, with no restrictions on server connections or client side applications

• Meet compliance regulations like PCI DSS, HIPAA, GDPR, and more

ALLIANCE KEY MANAGER

Page 16

TOWNSEND SECURITY CREATES DATA PRIVACY

solutions that help organizations meet evolving

compliance requirements and mitigate the risk of data

breaches and cyber-attacks. Over 3,000 organizations

worldwide trust Townsend Security’s NIST and FIPS

140-2 compliant solutions to meet the encryption and

key management requirements in PCI DSS, HIPAA/

HITECH, FISMA, GLBA/FFIEC, SOX, GDPR and other

regulatory compliance requirements.

CONTACT TOWNSEND SECURITY

www.townsendsecurity.com

@townsendsecure

724 Columbia Street NW, Suite 400

Olympia, WA 98501

360.359.4400

“Townsend is a full service security provider that remains on the cutting

edge and has demonstrated exceptional customer service.”

- CSU FRESNO

ABOUT TOWNSEND SECURITY