Garry McCracken, VP Technology at WinMagic, examines the pressing need for greater encryption in a world where hyper-converged infrastructures and virtualisation are becoming the norm, setting out the killer security issues and approaches IT departments need to consider.
In the good old days of highly fortified physical data centres, taking a belt and braces approach to data security was a relatively straightforward position to address.
For example, enabling Full Drive Encryption (FDE) for on premise servers, in addition to encrypting selected files and directories, ultimately ensured that any drive leaving the data centre for repair or disposal was protected – thus eliminating any potential risk of customer data being exposed.
But in today’s world of hyper-converged infrastructures (HCIs) and virtualisation, workloads are now virtual, dynamic, mobile, scalable and vulnerable. All of which makes maintaining data security a much more demanding proposition. Let’s explore why.
Making the Case for Securing Virtual Machines
The emergence of virtualisation and HCIs has changed the rules of the game, enabling IT teams to rapidly deploy mixed workload and virtual desktop integrated infrastructures across local or remote locations.
In this respect, the benefits of hyper-converged systems that combine compute, networking and management software in a single appliance that is essentially a ‘mini cloud in a box’ are hard to dispute.
But while HCI boxes are still kept on premise, their workloads are run in virtual machines (VMs) rather than directly on physical hardware. Which means it is the VM and its data that now needs protecting, rather than a specific physical box.
The killer security issue for IT teams is that VMs come up and go down frequently and are often in a data at rest state. And when a VM is down (or at rest), it effectively becomes one big file that can be copied onto a memory stick or shared over the network. And that represents a significant data security issue.
The answer to this challenge is to encrypt the VM itself, ideally using in-guest encryption that’s independent of the hypervisor and with the key under control of the enterprise. This ensures that even when a VM is moved to another HCI node, say in a different geographic location or a public cloud, the enterprise still retains control of the data at all times.
Encrypting VMs for HCI – Counting the Advantages
Encrypting VMs for HCI delivers several benefits for the IT department and the wider enterprise. Providing a highly scalable approach that ensures protection resides with the enterprise’s data, it can be easily be extended with each new VM that’s spun up.
What’s more, VM-level encryption not only protects against lost or stolen physical drives, it also enables IT teams to inhibit unauthorised data movement, access or replication. And there are five further advantages to be gained from adopting the VM-level encryption approach:
#1 Continuous Protection
Unlike physical level protection, which leaves workloads decrypted (unprotected) when in-transit, VM-level encryption protects workloads persistently as these move, clone or snapshot across the enterprise infrastructure.
#2 Portable Protection
VM-level encryption eliminates the risk of lock-in to hardware, hypervisors or cloud providers, delivering completely portable protection that’s ideal for hybrid IT environments and workloads in-transit.
#3 Flexible Protection
IT departments can utilise VM-level encryption to encrypt sensitive workloads and run these securely alongside non-sensitive workloads, assigning different keys and policies to different VMs.
#4 Enhanced Governance
By initiating VM-level encryption, IT teams are also able to enable boot-based policies that control who can access data, where data resides and how that data is protected.
#5 Ease of Termination
VM-level encryption also makes it possible to securely terminate individual workloads, once these are finished with, in a straightforward and simple manner.
Stringent new privacy legislation, such as the EU General Data Protection Regulation (GDPR), has raised the stakes with respect to how organisations process and store the personally identifiable information of EU citizens.
As a consequence, enterprises need to take appropriate steps to ensure that such sensitive data never appears in the public domain. But in a world where IT environments are becoming increasingly virtualised and hyper-converged, the attack surface is significantly expanding. Which means securing the data itself has become a top priority.
The solution is to ensure protection resides within the data by utilising in-guest encryption with keys that remain under the control of the VM owner – the enterprise itself. As we’ve seen, VM-level encryption not only protects workloads wherever they may be within the enterprise infrastructure and beyond. It also delivers a significant number of additional advantages, including making it easy for IT departments to control all aspects of data security. Ensuring that data can only be accessed by authorised users, even in the event that a cloud system is breached.