Protecting Private Data in Virtual Environments with New Encryption Approaches

The data center transformation to software-defined technologies started with virtualization of compute resources, and today has emerged to hyper-convergence of compute/storage.

The use of encryption has been an important approach in protecting sensitive information both at rest in organizations and as it is transmitted. Now, new approaches allow encryption to be delivered as a service, suitable for cloud use, at the cloud scale.

There are many challenges around protecting private data in virtual environments, and they include the fact that virtualized environments have many copies of the same data and leverage deduplication technologies for efficiency.

Encryption performed in the virtual machine (VM) may reduce deduplication efficiency. In addition, some solutions perform encryption in the storage layer at the drive-level. While this protects against physical theft, it does not protect against a rogue administrator cloning a virtual machine.

Finally, traditional key management interoperability protocol (KMIP)-based solutions are implemented in software, leaving them insecure to rogue root users and malware. 

VMware’s introduction of native encryption in vSphere 6.5 with vSphere VM Encryption and vSAN 6.6 with data at rest encryption was designed to address the first two challenges listed above. But up until recently, no solutions were available to adequately address the last barrier of encryption in virtual environments.

New approaches for encryption protection in VMware environments
New technologies are available that offer easy integration using KMIP with vSphere VM encryption and vSAN encryption to deliver hardware security module (HSM) level of protection for VMs and data at rest. HSM-as-a-service (HSMaaS) is new approach that makes it easy to adopt an encryption strategy with VMs while mitigating the shortcomings found with traditional HSMs in virtual environments. 

While HSMaaS has long been a desirable goal, the fundamental building blocks were not easily available. Relying on physical tamper switches such as traditional HSMs always required a manual oversight, and introduced the operational headache associated with HSMs. 

Intel SGX (Intel Software Guard Extension) offers a new set of instructions that when combined with additional side-channel resistance logic makes it possible to offer certain privacy and security guarantees in virtual environments. This allows for an ideal platform to build HSMaaS offerings in virtual environments that has cloud-native scale with the hardware-level security.

This new approach offers some unique benefits for encryption in VMware environments, including:

1) Software-Defined, Hardware-Secured Protection – Traditional HSMs with proprietary hardware are a misfit in a virtualized data center due to their support for limited number of client applications. They also do not support KMIP. Organizations requiring secure key management would need both a key management solution that supports KMIP and an HSM, which is both expensive and complex to operate. Organizations typically give up on HSM security and settle for software only key management solutions that are less secure. 

HSMaaS delivers unified HSM and key management capabilities with the operational simplicity of a single solution. These new approaches ensure that organizations remain in complete control of keys and private data. Encryption keys remain protected even if attackers have physical access or root credentials to the key management server, since the data remains encrypted.

2) Predictable cost – One of the driving factors for cloud and VP adoption is for the organizations to have control of their IT spend. Traditional HSMs become more expensive as more client applications connect. This is problematic for organizations with increasing footprint but it becomes prohibitively expensive for container ecosystem due to their transient nature. Edge or ROBO deployments may have hundreds of small clusters, and with traditional key management solutions, this typically requires several costly KMIP client license connectors. Often times, the organizations are shocked to discover the true cost of encryption ownership.

Advanced HSMaaS solutions deliver a transparent predictable consumption model, similar to the utility-based consumption model seen in virtualization and cloud environments. These approaches deliver a cost-effective secure key management solution for VMware environments and do not require additional license charges for connectors. 

3) Scalability and Availability – VMware continues to enhance the scale limits of compute and storage in a cluster, as well as the number of clusters that can be managed by vCenter. As such, scalability of a secure key management solution is an important requirement. 

In addition, availability of a key management system for virtual environments is also critical when using encryption since it impacts data access. Even though VMware supports redundant KMS configurations, high availability (HA) for traditional HSMs requires considerable topology design, setup, maintenance and operational overhead, including specifying the order of KMS configuration. If an organization has multiple VMware clusters across multiple sites, then this complexity is magnified.

HSMaaS approaches have built-in and automated high availability and load balancing. The always-on HA and load balancing are conceptually similar to VMware vMotion and DRS capabilities. These new technologies eliminate operational complexity and additional licensing cost.

Accelerating Data Protection and Compliance
New HSMaaS approaches accelerate data protection and compliance for VMware virtual environments. These approaches deliver HSM encryption security without cost and complexity, resulting in complete flexibility in protecting VMware clusters, hosts and data stores.

What’s Hot on Infosecurity Magazine?