ENCRYPTION & KEY MANAGEMENT FOR VMWARE CLOUD … · 2020. 6. 25. · Certified VMware Cloud...
Transcript of ENCRYPTION & KEY MANAGEMENT FOR VMWARE CLOUD … · 2020. 6. 25. · Certified VMware Cloud...
ENCRYPTION & KEY MANAGEMENT FOR VMWARE CLOUD PROVIDERS
THE DEFINITIVE GUIDE
Certified VMware Cloud Providers deliver a critical set of services and infrastructure to small and medium size organizations. They deploy, manage, secure, and backup the VMware environment for their end customers. That mix of expertise and cloud or hosting infrastructure positions them to fill an important role in the IT services industry. Customers are rightly concerned about the security of their sensitive information in VMware Virtual Machines (VMs) and Virtual SAN (vSAN) and want to be sure that this information is encrypted. The VMware platform provides the ability to encrypt VMs and vSAN, but needs the addition of an Enterprise Key Management System (KMS) to protect the encryption keys. The following sections describe the encryption implementation of VMware, the mechanism for protecting encryption keys, and the unique business challenges facing VMware Cloud Providers.
“
Page 2
Page 3
CONTENTS
Introduction 4
VMware Cloud Providers 5
VMware Encryption 6
Industry Standards 9
Customers, Clients, and Business Secrets 10
Business Continuity 12
VMware Cloud Proviers & Encryption Key Management 13
Cloud Provider Partner Program 14
Alliance Key Manager 15
About Townsend Security 16
Page 4
INTRODUCTION
THE VMWARE STORY BEGAN IN 1998 WHEN FIVE
forward-thinking technologists launched an
innovative virtualized computing solution. Shortly
thereafter, it was the first commercially successful
company to virtualize x86 architecture. Today
VMware is the recognized leader in on-premise
computing virtualization. VMware’s applications
extend across management, networking, monitoring,
administration and security. VMware’s enterprise
software hypervisor for servers, VMware ESXi, is a
bare-metal hypervisor that runs directly on server
hardware without needing an additional underlying
OS. Organizations have achieved immense cost,
security and administrative benefits through the
deployment of VMware for their IT infrastructure.
While the benefits of VMware are undeniable, the
proper deployment and management of VMware
requires specialized expertise. While reducing the
overall cost of IT hardware through virtualization,
there remains the need for hardware and data center
investment. VMware Cloud Providers are helping
customers in both areas - providing expertise and
hosted data center infrastructure.
eBook:The Definitive Guide to VMware Encryption & Key Management
DOWNLOAD
Page 5
VMWARE CLOUD PROVIDERS
VMWARE CLOUD PROVIDERS ARE SPECIALIZED
partners in the VMware partner ecosystem. Not
only do they bring expertise to the deployment and
management of VMware
in hosted and cloud
environments, but they
maintain a special partner
relationship with VMware
that involves certification and the ability to cost
effectively license VMware platforms. This special
relationship as a VMware partner must be revalidated
on a periodic basis and this helps build confidence
by end customers in their services. You can find the
Certified VMware Cloud Providers on the VMware
website.
While the number of VMware partners is quite large,
only about 180 VMware partners have achieved
VMware Cloud Verified status. You will find both small,
regional partners as well as global partners.
“While the benefits of VMware are undeniable, the proper deployment
and management of VMware requires
specialized expertise.”
Page 6
VMWARE ENCRYPTION
VMWARE VSPHERE ENCRYPTION WAS FIRST
introduced in vSphere 6.5 and vSAN 6.6; enabling
encryption of virtual machines (VMs) and disk storage
(vSAN). It only requires the vCenter vSphere Server, a
third-party Key Management Server (KMS), and ESXi
hosts to work. It implements standards-based AES
encryption, uses the open KMIP standard for the key
management interface, is highly performant, and is
easy to deploy.
In our increasingly insecure cyber world, VMware
understands the critical nature of robust security
solutions, including encryption
capabilities. We need strong
encryption and key management
solutions that run natively in our
virtual environments to meet
compliance regulations and security
best practices.
The implementation of VMware encryption and
the key management interface now span several
releases of VMware and have earned the trust of
customers and partners. If you’d like to first learn the
fundamentals of encryption and key management
before diving in, please view The Definitive Guide to
Encryption Key Management Fundamentals.
ENRYPTION OF VIRTUAL MACHINES (VMS) AND BEST PRACTICES FOR VMWARE CLOUD PROVIDERSWith vSphere 6.5 and above, you can encrypt your
customer VMs to help protect sensitive data-at-
rest and to meet compliance regulations. vSphere
encryption allows you to encrypt existing virtual
machines as well as encrypt new VMs right out of the
box. Additionally, vSphere VM encryption not only
protects your virtual machine but can also encrypt
your other associated files. Organizations typically
have mission-critical information in VMs. This means
that getting encryption and key management right the
first time is paramount.
VMware provides excellent documentation on the
configuration, deployment and best practices for
encryption. Here are a few highlights of best practices
as you deploy encryption for your customers:
• Do not encrypt any vCenter Server Appliance
VMs. These are vital to the functioning of VMware
and should never be encrypted.
• Do not edit VMX files or VMDK descriptor files
as they contain the encryption bundle information.
Any changes may make the VM unrecoverable.
• Always designate a high availability failover
key manager in your KMS cluster. If your primary
key server goes down with no failover key server
in place, your encrypted VMs will be unable to be
decrypted until the key server is recovered.
Encryption & Tokenization:
Key Management:
Secure Communications:
Logging:
Authentication
eBook
Podcast
Video
Blog
White Paper
Solution Brief/Data Sheet
Case Study
Resource Kit
Page 7
VMWARE ENCRYPTION (CONT)
• Once you name your key management server
(KMS) cluster, do not rename it. If you change the
name of the KMS cluster the ESXi host will be
unable to find the KMS and a VM that is encrypted
with a key encryption key (KEK) from that KMS will
be unable to be decrypted.
• Once you encrypt a virtual machine, you cannot
relocate the VM to a host that does not have the
key ID information. Only a ESXi host with the key
ID information for that VM can properly locate the
encryption key for decryption.
At Townsend Security, we provide additional technical
support and guidance to our VMware Cloud Provider
partners to ensure successful deployments of
encrypted VMs.
ENCRYPTION OF VIRTUAL STORAGE (VSAN) AND BEST PRACTICES FOR VMWARE CLOUD PROVIDERSVMware’s Virtual SAN (vSAN) is powerful hyper-
converged infrastructure that offers you greater
performance and high scalability. vSAN encryption is
easy to deploy but does have a few best practices
in order to avoid interruption of service. Before you
begin your vSAN encryption project, consider these
VMware best practices:
• Do not deploy your KMS server on the same
vSAN datastore that you are encrypting. This will
encrypt your key managers and in some cases
render them useless in recovery scenarios.
• Do not attempt to encrypt your witness host as
they do not contain any sensitive data. They only
contain metadata concerning other vSAN clusters
and do not need to be encrypted.
• Encryption can be CPU intensive. For vSAN
encryption on Intel hardware, make sure AES-NI
is enabled in BIOS. It can significantly improve
encryption performance.
• You should ensure that your Core dumps are
encrypted. They can contain sensitive information
such as encryption keys.
• When you decrypt a core dump, you should
handle it as if it contains sensitive information. Core
dumps may contain encryption keys either for the
vSAN host and/or the data on it.
One way that our VMware Cloud Provider partners
are helping their customers protect data is to deploy
common commercial and open source databases
on encrypted vSAN storage. PostgreSQL, MariaDB,
MongoDB Community Edition, Oracle Database and
many others can be secured at rest using encrypted
vSAN and VMware provides excellent guidance
on how to do this. Using encrypted vSAN for your
databases can help your customers avoid expensive
software upgrades.
Page 8
VMWARE ENCRYPTION (CONT)
ENCRYPTION THROUGH VIRTUAL TRUSTED PLATFORM MODULE (VTPM)Operating systems like Microsoft Windows and others
have implemented support for the Trusted Platform
Module (TPM). TPM provides additional security
to the operating system encryption support by
protecting the master encryption key in the underlying
hardware. While TPM works well in traditional server
settings it does not work well in a VMware virtualized
environment. One of the benefits of VMware is
independence from the underlying hardware, and the
ability to move workloads across hardware servers,
remote nodes and the cloud. VMware has solved the
problem with Virtual TPM (vTPM). VMware customers
can now deploy vTPM from VMware and get
encryption key protection through the same vSphere
KMS Cluster configuration used to protect VMs and
vSAN.
Because support for encrypted VMs is easy and
scalable, VMware Cloud Providers rarely need to
deploy vTPM. However, if an end customer wants
vTPM protection, it is available and fully supported
through the vSphere KMS Cluster configuration.
PRODUCT APPLICABILITY GUIDE FOR PCI DSS Working with Coalfire, a PCI-qualified QSA assessor and independent IT audit firm, we have released our PCI DSS Product Applicability Guide.
DOWNLOAD
Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0
April 2015 v1.0
Product Applicability Guide
“The implementation of VMware encryption and
the key management interface now span several
releases of VMware and have earned the trust of
customers and partners.”
VMWARE USERS ARE CONCERNED WITH THE
implementation of encryption and key management.
AES ENCRYPTIONOne important standard is from National Institute
of Standards and Technology (NIST): NIST FIPS-197
which defines and validates AES
encryption. Why is verifying that
your data is secured with AES
encryption important? AES is
an internationally recognized
standard for encryption and VMware has validated
its encryption to this standard. All major compliance
regulations recognize AES encryption for protecting
sensitive data.
ENCRYPTION KEY MANAGEMENTFIPS 140-2 certification ensures that the key
management software has been tested by third
parties to meet the highest
standards in key management
technology, so you can establish
strong key management. For
VMware customers, FIPS 140-2
compliant encryption and key
management are a key defense for
data security. Proper key management is required to
implement VMware encryption.
Page 9
INDUSTRY STANDARDS
KMIPVMware allows users to manage encryption keys
using a third-party key management vendor through
a standard key management protocol called Key
Management Interoperability Protocol, or KMIP. All
of VMware’s KMS
Certification tests
contained in KMS
plug-ins verify that
the vendor’s KMIP
KMS works with the vSphere VM encryption feature
and encrypted vSAN virtual disk. Testing consists of
verifying the correct behavior of a KMS and ensuring
that it does not introduce undesirable impacts on the
operation of the system.
PODCAST:Delivering Secure VMware Hosting with Encryption and Key Management
DOWNLOAD
Page 10
VMWARE PARTNER END CUSTOMERS ARE
concerned with protecting sensitive business secrets
and meeting compliance regulations. Here are a few
of those regulations that are of concern:
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)The Health Insurance Portability and Accountability
Act and Health Information Technology for Economic
and Clinical Health Act (HIPAA/HITECH) outlines data
security regulations
for the healthcare
industry. While the
HIPAA/HITECH does
not specifically require
encryption of sensitive data, a backdoor “safe harbor”
mandate states that if a healthcare organization or
one of its Business Associates (BA) does experience a
data breach, and Protected Health Information (PHI) is
not obscured using encryption or some other method,
then that organization will be heavily penalized.
Organizations can reduce the complexity and
cost of HIPAA Security Rule compliance by
replacing traditional non-integrated products
with integrated solutions. To further address this
gap, VMware, together with the VMware partner
ecosystem delivers compliance-oriented integrated
CUSTOMERS, COMPLIANCE, & BUSINESS SECRETS
solutions, enabling compliance by automating the
deployment, provisioning, and operation of regulated
environments. In this way, VMware provides the
solution reference architecture, HIPAA Security
Rule specific guidance, and software solutions that
businesses require to achieve continuous compliance,
along with speed, efficiency, and agility for their
applications.
CALIFORNIA CONSUMER PRIVACY ACT (CCPA)If your end customers collect data on people or
households who are in California, and meet the
minimum criteria, and are not explicitly excluded,
they must meet the requirements of the new law.
Notice, this does not just apply to “California citizens”,
but people who are in the state at the time of data
collection.
You are not
exempt if your
organization
resides outside
of California. If
your customer
collects data
on people in California, they should assume they are
covered by the law. Under the CCPA the only way
to provide protection against class action lawsuits is
to encryption your sensitive data and to use proper
encryption key management.
Page 11
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)VMware meets the standards of the PCI DSS, which
was developed to encourage and enhance cardholder
data security and facilitate the broad adoption of
consistent data
security measures
globally. For
VMware users
who need to
meet compliance, Alliance Key Manager has been
validated for PCI DSS in VMware by Coalfire, a PCI-
qualified QSA assessor and independent IT and audit
firm. Additionally, Alliance Key Manager for VMware
can also help businesses meet other compliance
regulations such as CCPA, HIPAA, GLBA/FFIEC, FISMA,
etc.
VMWARE AND GDPRIn response to escalating external and internal
threats and uncertainty, lawmakers and regulators
around the world have
been strengthening their
data security compliance
requirements, implementing
new legal frameworks and
levying higher noncompliance
penalties. This places
organizations at tremendous risk for compliance
violations, along with the resulting fines and
remediation costs. On May 25th, 2018, the European
Union made securing citizens’ data an even bigger
challenge for companies doing business that involves
handling their citizens’ data. That was launch day for
the new European Union General Data Protection
Regulation (GDPR),
Encryption and key management can help meet
GDPR’s privacy requirements, as well as citizens’
right of erasure (right to be forgotten). While the EU
does not mandate that all organizations encrypt
sensitive data, there is an exclusion for subject data
breach notification and financial penalties for those
organizations that use encryption and other security
methods to protect the data. Thanks to VMware’s
wide-ranging focus on security, implementing
encryption and key management tools will help users
meet requirements for GDPR.
CUSTOMERS, COMPLIANCE, & BUSINESS SECRETS (CONT)
“When you leave the keys to unlock your sensitive business and customer
data exposed, then you expose your entire
organization to the risk of data loss or theft.”
Page 12
ONE OF THE KEY VALUES THAT VMWARE CLOUD
Providers bring to their customers is a reliable and
resilient infrastructure to protect their customer’s
ongoing operations. VMware infrastructure is crucial
to this effort and provides world-class business
continuity. This includes support for encrypted VMs
that may move across multiple vCenter nodes.
VMware partners know that a reliable and resilient key
management solution is also critical to this effort. A
key management solution should be able to meet or
exceed customer expectations for business continuity.
VMware Cloud Providers need to be able to deploy
a key management solution that provides real-time
failover and integrates with vSphere KMS Cluster
configurations.
BUSINESS CONTINUITY
DELIVERING SECURE VMWARE HOSTING WITH ENCRYPTION AND KEY MANAGEMENT Learn to meet the challenge of encryption and encryption key management with a usage-based business model that is core to hosting providers.
Delivering Secure VMware Hosting with Encryption & Key Management
A Guide for Hosting Providers and MSPs
White Paper
105 8th Avenue SE, Suite 301 • Olympia, WA 98501 • 360.359.4400 • 800.357.1019 • fax 360.357.9047
“VMware Cloud Providers need to be able to deploy a key
management solution that provides real-time failover and integrates
with vSphere KMS Cluster configurations.”
Page 13
VMWARE CLOUD PROVIDERS & ENCRYPTION KEY MANAGEMENT
AS THE LANDSCAPE FOR DELIVERING VMWARE
services rapidly changes to a new usage model,
VMware partners find themselves struggling with
traditional key management infrastructure. Legacy
key management systems involve fixed up-front
costs, annual maintenance and support contracts,
complex and rigid deployment tasks, and inflexible
infrastructure. This makes it difficult for VMware Cloud
Providers to manage costs across a growing number
of customers and to scale their businesses effectively.
Further adding to the pain is the difficulty of managing
complex customer relationships that span on-premise,
hosted, and cloud environments. Trying to deploy a
key management solution that bridges the customer
on-premise VMware environment with the VMware
partner’s cloud platform again involves complex and
expensive licensing costs. The KMS industry has
failed to keep up with this new paradigm for delivering
VMware services.
MORE INFORMATION
WEBINAR:SECURING DATA IN VMWARE WITH ENCRYPTION & KEY MANAGEMENT
VIEW WEBINAR
Page 14
VMWARE CLOUD PROVIDER PARTNER PROGRAM
THE TOWNSEND SECURITY VMWARE CLOUD
Provider partner program is designed to match the
partner’s business model with usage-based key
management and flexible deployment options that
eliminate licensing headaches, and which empowers
the VMware Cloud Provider to scale their business.
There are no upfront costs or annual fees, no annual
minimum license fees, and no restrictions on KMS
deployment in the cloud or on customer premises.
Townsend Security works with partners to design
and implement a pricing plan that matches the way
they do business. The result is a highly scalable and
predictable deployment of VMware encryption and
key management with no administrative overhead.
VMware Cloud Providers also benefit from the
ongoing certification of Townsend Security’s Alliance
Key Manager with VMware to ensure customer
confidence and easy integration. The VMware Cloud
Provider benefits from the advanced security posture
and certifications of Alliance Key Manager in a variety
of compliance environments.
Townsend Security provides key management
technology, no cost training, 24/7 technical support,
and an easy partner program with no unpleasant
surprises. It is easy to get started here.
PARTNER PROGRAM
VMWARE CLOUD PROVIDERS & MSPs:Enable Encryption for Your Customers & Win New Business
LEARN MORE
Page 15
“A very cost effective solution in terms of performance,
manageability, security, and availability. As a result, my company
was quickly able to implement full database encryption leveraging
the AKM as our key management solution in weeks. Comparable
solutions could have taken months.”- CERTAIN
TOWNSEND SECURITY IS HELPING VMWARE
customers secure their sensitive data with Alliance
Key Manager. The solution offers unparalleled security,
flexibility and affordability for all users of VMware. With
no client-side software to install, customers can de-
ploy Alliance Key Manager and easily begin retrieving
encryption keys.
Alliance Key Manager is FIPS 140-2 compliant and
in use by over 3,000 organizations worldwide. The
solution is available in VMware, as a hardware se-
curity module (HSM), and in the cloud (Amazon Web
Services, Microsoft Azure, and VMware vCloud).
Townsend Security offers a 30-day, fully-functional
evaluation of Alliance Key Manager.
30-DAY EVALUATION
ALLIANCEKEY MANAGER
REQUEST EVALUATION
• FIPS 140-2 and KMIP compliant enterprise key manager
• Available as an HSM, VMware, or in the cloud (AWS, Microsoft Azure)
• Affordably priced, with no restrictions on server connections or client side applications
• Meet compliance regulations like PCI DSS, HIPAA, GDPR, and more
ALLIANCE KEY MANAGER
Page 16
TOWNSEND SECURITY CREATES DATA PRIVACY
solutions that help organizations meet evolving
compliance requirements and mitigate the risk of data
breaches and cyber-attacks. Over 3,000 organizations
worldwide trust Townsend Security’s NIST and FIPS
140-2 compliant solutions to meet the encryption and
key management requirements in PCI DSS, HIPAA/
HITECH, FISMA, GLBA/FFIEC, SOX, GDPR and other
regulatory compliance requirements.
CONTACT TOWNSEND SECURITY
www.townsendsecurity.com
@townsendsecure
724 Columbia Street NW, Suite 400
Olympia, WA 98501
360.359.4400
“Townsend is a full service security provider that remains on the cutting
edge and has demonstrated exceptional customer service.”
- CSU FRESNO
ABOUT TOWNSEND SECURITY