How to Protecting Sensitive Data in Virtual Environments

The data center transformation to software-defined technologies started with virtualization of compute resources, and today has emerged to hyper-convergence of compute/storage.

The use of encryption has been an important approach in protecting sensitive information both at rest in organizations and as it is transmitted. Now, new approaches allow encryption to be delivered as a service, suitable for cloud use, at the cloud scale.

There are many challenges around protecting private data in virtual environments, and they include the fact that virtualized environments have many copies of the same data and leverage deduplication technologies for efficiency.

Encryption performed in the virtual machine (VM) may reduce deduplication efficiency. In addition, some solutions perform encryption in the storage layer at the drive-level. While this protects against physical theft, it does not protect against a rogue administrator cloning a virtual machine.

Finally, traditional key management interoperability protocol (KMIP)-based solutions are implemented in software, leaving them insecure to rogue root users and malware.

Virtualization and Encryption

Software-defined transformation of the data center started with virtualization of compute and then hyper-convergence of compute/storage. The use of encryption to protect sensitive data in virtual environments presented some challenges:

  1. Virtualized environments have many copies of the same data and leverage deduplication technologies for efficiency. If encryption is performed in the virtual machine (VM), the data is no longer similar, and this reduces deduplication efficiency.
  2. Some solutions perform encryption in the storage layer such as Self-Encrypting Drives (SEDs). While this protects against physical theft, it does not protect against a rogue administrator from cloning a virtual machine.
  3. Key management is often the Achilles heel. The choice of KMIP-based key management solutions is largely limited to virtual appliances or software solutions that are vulnerable to exploits. Hardware appliances lack the scalability and usability needs of a dynamic virtualized environment.

VMware’s introduction of native encryption capabilities in vSphere 6.5 with vSphere VM Encryption and vSAN 6.6 with data at rest encryption was designed to address challenges #1 and #2.

Fortanix SDKMS for VMware now addresses the last barrier #3 with a secure enterprise-wide key management solution. SDKMS offers easy integration via KMIP Interface with vSphere VM encryption and vSAN encryption to protect VMs and data at rest.

SDKMS Benefits for VMware Encryption

Let’s review 3 unique benefits of SDKMS for encryption in VMware environments.

SDKMS for vSphere VM Encryption and SDKMS for vSAN Encryption

New approaches for encryption protection in VMware environments
New technologies are available that offer easy integration using KMIP with vSphere VM encryption and vSAN encryption to deliver hardware security module (HSM) level of protection for VMs and data at rest. HSM-as-a-service (HSMaaS) is new approach that makes it easy to adopt an encryption strategy with VMs while mitigating the shortcomings found with traditional HSMs in virtual environments.

1.Software-Defined, Hardware-Secured

Historically, secure key management required a Hardware Security Module (HSM). Legacy HSMs with proprietary hardware however are a misfit in a virtualized data center. They also do not support KMIP. Organizations requiring secure key management would need both a key management solution that supports KMIP and an HSM. More often than not, organizations would trade-off security due to the cost / complexity of HSMs and settle for software only key management solutions.

SSDKMS now extends the benefits of secure key management without compromise to VMware environments. It delivers unified HSM and key management capabilities with the operational simplicity of a single solution. Secured with Runtime Encryption® and Intel® SGX, SDKMS ensures that you remain in complete control of your keys and secrets. Encryption keys remain protected even if attackers have physical access or root credentials to the key management server. Fortanix delivers security with standard x86 systems much like VMware did for virtualization.

SDKMS supports a broad range of cryptographic interfaces including KMIP for easy integration with VMware vSphere VM and vSAN encryption. SDKMS can be easily configured via vCenter and supports all operations including rekey. In addition, SDKMS’ centralized web-based UI provides comprehensive encryption key visibility and control for multiple VMware clusters, large or small, private or public.

2.Scalability and Availability

VMware continues to enhance the scale limits of compute and storage in a cluster as well as the number of clusters that can be managed by vCenter. Given that turning on encryption is now a checkbox, scalability of a secure key management solution is an important requirement. Fortanix SDKMS starts with supporting millions of keys and can scale-out horizontally or geographically as demand grows.


SDKMS Multi-Site Deployment

Availability of a key management system (KMS) is also critical when using encryption, as it impacts data access. Even though VMware supports redundant KMS configurations, HA for legacy HSMs requires considerable topology design, setup, maintenance and operational overhead such as specifying order of KMS configuration. If your environment has multiple VMware clusters across multiple sites, then this complexity is magnified.

SDKMS has built-in and automated high availability and load balancing, all you need to do is configure a SDKMS cluster as a KMS in vCenter. The always-on HA and load-balancing paradigm is conceptually similar to VMware vMotion and DRS capabilities. SDKMS eliminates operational complexity, enabling it to easily scale to multiple sites and serve hybrid cloud deployments. The solution can be consumed as on-premises appliance/software or as SaaS with our partner solution Equinix SmartKey, powered by Fortanix.

3.Cost Effective Consumption

While VMware has made it easy to enable encryption, its adoption is typically constrained due to challenges in enterprise wide key management. These challenges include not only security and complexity but also cost.

We already reviewed some of the operational costs associated with HSMs and key management. But one of the hidden costs associated with key management solutions has been license costs based on the number of connections. While KMS configuration is performed through vCenter, the hosts directly communicate with the KMS server and keys are transferred via KMIP.

Enterprises typically have multiple clusters each with multiple hosts in the data center. Edge or ROBO deployments may have 100s of small clusters. With traditional key management solutions, this typically requires several costly KMIP client license connectors.

As we reviewed in this blog earlier, SDKMS delivers a transparent predictable consumption model much like the utility-based consumption model prevalent in virtualization and cloud environments. SDKMS delivers the most cost-effective secure key management solution for VMware environments period! SDKMS does not require additional license charges for connectors, leaving you with complete flexibility in protecting your VMware clusters, hosts and data stores.

Accelerating Data Protection and Compliance

We are very excited about this jointsolution that accelerates data protection and compliance for our customers’ VMware virtual environments. In the coming weeks and months, we will further extend SDKMS’ benefits to the enterprise with various KMIP-compliant solutions, including storage devices, hyper-converged infrastructure, databases, security gateways and more.