IT turns to VMware encryption for added VM security
Encryption features in recent vSphere and vSAN updates aim to balance security with simplicity and performance. For VMware shops, there is little standing in the way of adoption.
Virtualization admins demand a balance between security, performance and usability in their data protection tools, and VMware aims to address that need with encryption capabilities in vSphere 6.5 and vSAN 6.6.
In an increasingly security-conscious world, data protection has become a top priority. One key feature is encryption; in fact, 38% of IT admins are planning an encryption security initiative this year, according to TechTarget's 2018 IT Priorities Survey. With vSphere 6.5 and vSAN 6.6, VMware includes encryption capabilities that can help meet that demand. Though VMware encryption features are unlikely to drive adoption of vSphere or vSAN, they largely meet the needs of IT administrators, experts said.
"I wouldn't say admins are crazy about it, but it has provided a capability that had previously been missing," said Stuart Burns, a virtualization engineer at Marsh, an insurance broking and risk management firm based in New York.
Encryption in an unsecure world
After one of the most significant data breaches in years, Equifax's interim CEO admitted in a congressional hearing that it hadn't encrypted data at rest. Many organizations still don't encrypt critical data, when, in reality, they should encrypt everything, Burns said.
"There are so many ways data could be lost, and once you've lost the data, that data is out there forever," he said. "If it's encrypted, you don't have that problem anymore. Yes, it's lost, but that data is very unlikely to be of use to anyone."
Encryption also reduces the consequences of device misplacement and social engineering by scrambling the information and making it worthless to anyone that lacks the unique tools to read it. A key management service (KMS) lets IT control the keys that make encrypted data readable.
VM-level encryption in vSphere 6.5
VSphere 6.5, released in 2016, gives admins the ability to encrypt VMs at the hypervisor level. Previously, encryption with vSphere required third-party hardware or software and didn't achieve the same level of granularity. This feature takes a data-in-motion approach and encrypts I/O as it comes to the disk of a VM before traveling to kernel storage. All of the VM's files, including configuration and snapshot files, are stored in encrypted folders.
One of the most compelling features of vSphere's native encryption is its ease of use, Burns said.
"Someone who's got reasonable knowledge of VMware [and] vSphere can implement it," said Burns, who put it to use in about an hour and a half.
Encryption allows for the principle of least privilege, which limits data visibility exclusively to those who need it. In vSphere, this ensures even virtualization administrators only have access to the data they need, which makes their credentials less valuable targets for hacking and social engineering, said Ed Haletky, principal analyst at The Virtualization Practice.
"It is a necessary addition and closes a gap where a virtualization administrator can see all data," he said.
VMware encryption in vSAN 6.6
Stuart Burnsvirtualization engineer at Marsh
VSAN 6.6 added native data-at-rest encryption at the hypervisor level -- built into the vSAN kernel and encrypting the entire data store. Unlike vSphere's data-in-motion approach, vSAN encrypts the entire volume instead of individual VMs.
VSAN encryption is hardware-agnostic and works with hybrid and all-flash configurations. It can also take advantage of other vSAN features, such as deduplication and compression.
Both vSphere and vSAN use the same encryption library and allow IT to use the same KMS between them. VMware doesn't provide its own KMS, but vSphere and vSAN work with a multitude of providers.
The primary use case for both VMware encryption features is SMBs looking to add functionality to existing VMware infrastructures, Burns said. As more of those companies take up hyper-converged infrastructure, vSAN encryption might help position the VMware platform as an attractive option. But, for the most part, it's unlikely organizations will invest in vSAN primarily because of this feature, Burns said.
Performance effects, limitations of VMware encryption
VM performance is always a concern when implementing security features. VMware claims vSphere's encryption doesn't significantly affect I/O performance, and modern processers usually mean that issue is no longer a big concern for IT anyway, Haletky said.
VSphere encryption can create bottlenecks for some high-performance devices, however, such as advanced nonvolatile memory express drives, according to VMware. Still, those devices are not a large use case, Burns said.
"The people who are going to use VMware vSphere encryption aren't the people who are going to be using extremely high-performance, high-I/O, low-latency stuff," he said. "You don't want to be giving up performance for security, if you can help it."
As VMware shops consider implementing these encryption features, the primary drawbacks involve the planning required. When encrypting on a per-VM basis in vSphere, admins will need to adjust their workflow.
"Current implementations of VM encryption require you to reboot the VM to encrypt the drives, so it has to be planned to add on upgrade cycles," Haletky said.
Another challenge is licensing. Organizations need to have at least an Enterprise Plus license of vSphere and an Enterprise license of vSAN to take advantage of the native encryption.
VMware encryption might not drive enterprise investment in vSphere or vSAN alone, but these features' usability help fill out a security portfolio that becomes more crucial to IT every year.
"Encryption is becoming ever more important," Burns said.