Bringing Smart Encryption Management to Virtual Machines
Securing Virtual Environments Shouldn’t be an Afterthought
Portability, versatility, efficiency, and cost effectiveness — these are just a few of the advantages of moving to virtualized environments. Virtualization allows enterprises to shift datacenters full of equipment down to a just a few servers. A smaller footprint means less power consumption, lowered cost of ownership, and less overhead. Too often, though, enterprises neglect security when it comes to implementing virtualization. Securing virtual environments has become an afterthought.
Newly-introduced capabilities from VMware, however, allow easy encryption of VMs with just a few clicks directly from the management console. Through VMware vSphere 6.5, virtual machines sitting on the disk (data-at-rest) or moving VMs between hosts (data-in-motion with vMotion) are now able to be encrypted. VMware vSphere 6.5 allows you to encrypt the home folder (containing sensitive configuration information) and the virtual machine disk (VMDK file) with the same key, or even separate keys, with ease.
Encryption Key Management Made Simple
Let’s say for a moment that you are a large enterprise with hundreds or thousands of virtualized servers. You were smart and decided to use VMware for your virtualization needs. How do you manage all of these keys? VMware, along with Fornetix Key Orchestration, has you covered. Key management functions are performed via a seamless and secure process that uses the industry standard Key Management Interoperability Protocol (KMIP):
- When a new or existing virtual machine is encrypted, the VMware host generates an internal AES key that is used to encrypt the virtual machine.
- The vCenter server then requests a new AES key from Key Orchestration that is used to encrypt the internally generated key.
- The key from Key Orchestration that is used to encrypt the internal key is not saved anywhere in the VMware environment; only the UUID is stored. By not storing encryption keys in memory and relying on the key manager to securely store them, it reduces the access points a bad actor can use in an attempt to compromise your enterprise.
- Furthermore, let’s say you wanted to move the virtual machine from one encrypted host to another. By utilizing vMotion encryption, all involved hosts and the virtual machine are secured.
- Not using an encrypted virtual machine? Not a problem! vMotion encryption can be used on unencrypted virtual machines as well.
- Because all of this encryption happens outside of the virtual machine at the hypervisor level, we do not care about the guest OS or the data on the VMDK; all encryption of the virtual machine is agnostic.
So now that you have vSphere 6.5 and Fornetix Key Orchestration, how do you make them work together? Simply said: point and click. VMware has integrated a KMIP client into vSphere 6.5 Enterprise which makes the integration with Fornetix Key Orchestration a 5 minute process:
- Create a client object in Key Orchestration.
- Input the Key Orchestration appliance network info into the KMS (Key Management Server) configuration screen in vCenter.
- Copy and paste the credentials of the client object.
Congratulations, you have completed the setup and can now encrypt your VMs! This quick integration allows administrators to get back to other tasks, thereby increasing productivity and use of resources.
Consider the Cost of a Breach When Factoring ROI
When looking at the ROI of a VMware and Key Orchestration integration, we have to look further down the road. The average cost of a data intrusion/compromise for a large-scale enterprise is in the neighborhood of $4M. This includes the costs of lost data, time and resources to mitigate the breach, compensation for those affected, replacement of breached data, and more. By encrypting your VMs and securing the keys, a nefarious intruder only gets jumbled-up nonsense if encrypted data is compromised.
Key Orchestration also has the added benefit of not being limited to working only with VMware. Fornetix Key Orchestration can handle your other encryption keys as well: database encryption keys, SSH keys, SSL certificates, and more. This extensibility allows you to not only use your investment for encrypting and managing VMs, but also manage other disparate encryption keys throughout your environments. You can bring your entire enterprise’s encryption management under a single, secure umbrella.
By choosing VMware and Fornetix for your virtual machine encryption and key management, you set yourself up for success. Those virtual machines are now secured and your encryption keys are now secured. No longer are you kept up at night with those security concerns. You can now use your time to worry about life’s greatest mysteries, such as why do hotdogs come in packs of 10, but the buns come in packs of 8?