Townsend Stores Encryption Keys in the Cloud
October 22, 2013 Alex Woodie
The cloud keeps getting more secure every day. And now, Townsend Security–a vendor that knows a thing or two about how to do security right–even wants to store the encryption keys for your cloud-based applications in a hardware security module (HSM) that itself lives in the cloud.
Finding a safe place to store encryption keys is an important, but sometimes overlooked, aspect of good security management. If you lose those encryption keys or they’re stolen, your data is gone for good. Your encryption software vendor doesn’t have a “skeleton” key to recover the data, and it’s doubtful the National Security Agency (which probably does have a backdoor) will help you out.
So, where should you put the keys? You should never, ever store the encryption keys on the same server that holds the encrypted data–that’s just bad form. Many firms actually lock their keys in physical safes that only the CEO, COO, or other officers can open. Other firms choose to use something like Townsend’s HSM, which is a hardened X64 server specifically designed to run Townsend’s Alliance Key Manager product to store and protect encryption keys.
With last week’s announcement, Townsend is giving customers one more option: an HSM equipped with Alliance Key Manager living in the cloud, which eliminates the need for customers to manage yet one more X64 server.
Currently, Townsend’s Alliance Key Manager Hosted HSM option only works with applications that already live in the cloud. The offering supports the big cloud providers, including Amazon Web Services, Microsoft Windows Azure, Rackspace, Hosting.com, and IBM’s SmartCloud.
Townsend’s customers maintain full control over the entire lifecycle of their keys. The cloud-based HSM is replicated in a high availability, geographically separated manner, ensuring continuity of the keys in the event of a disaster. And if a customer wants to move their apps from, say, Amazon AWS to Hosting.com, the keys will support that migration, as opposed to becoming another headache in the migration process.
The big question, of course, is whether the cloud is a safe enough place for a HSM. The Alliance Key Manager and the HSM are FIPS 140-2 certified, which means they’ve been deemed safe enough for the Federal Government to use. According to Townsend, the cloud HSM offering is deployed in an ITIL environment that’s validated for PCI DSS and SOC compliance.
“The top concern of enterprises moving to the cloud is data protection, and encryption key management is the cornerstone of a data protection strategy,” said Patrick Townsend, founder and CEO of Townsend Security. “Cloud users and cloud providers now have an option for affordable encryption key management that is NIST FIPS 140-2 compliant and fully under their control.”
(You may have noticed that Patrick Townsend is once again at the helm of the company that he founded and that bears his name. Joan Ross, who was hired earlier this year to lead Townsend and was CEO for about two months, is no longer with the company. Townsend has not elaborated on why the two parties parted ways.)
Townsend Security is waiving the setup fees associated with deploying the Alliance Key Manager Hosted HSM offering through the end of the year. For more information see www.townsendsecurity.com.