makspogonii - Fotolia
Use centralized encryption methods in large-scale IT environments
Whether data is stored in a VM or in the cloud, centralized encryption key management is critical to prevent theft and protect data from unwanted eyes.
Data protection and confidentiality are always top IT priorities. But it's not always easy to achieve these goals in large-scale data center and cloud environments. Encryption methods -- and centralized management of those methods -- can help.
A highly controlled environment, such as an enterprise data center, minimizes the risk of data theft. However, even in these settings, encryption -- and especially full-disk encryption (FDE) -- offers benefits, such as preventing unauthorized parties from reading data upon hardware disposal or returns to a vendor.
A critical component of many enterprise encryption methods, including FDE, is centralized management -- something that's especially important in large-scale data center and cloud environments. An encryption key management server (KMS) can provide this centralization, and also scale to support just about every IT resource that requires encryption services. This makes a KMS framework more scalable compared to a single encryption key maintained by a single user. However, to prevent security risks, be extremely careful who has access to the centralized key management infrastructure.
Encryption methods for virtualized environments
Within the realm of virtualization, most hypervisor vendors, such as VMware, Nutanix and Microsoft, natively support encryption of the VM or of the underlying disks -- though this typically comes with additional costs. Different vendors have specific implementations of encryption technology, but they all share the same over-arching design: the use of a key management server to centrally control access to encryption keys. The exact designs vary, but they all work in a similar fashion.
VMware, for example, uses two types of encryption keys to secure vSphere environments: data encryption keys (DEKs) and key encryption keys (KEKs). DEKs encrypt the actual data and are stored securely on the disk, while KEKs encrypt and decrypt the DEKs. Wherever the VM goes, the DEK goes, as it forms part of the virtual machine. Without the KEK, the DEK -- and data -- are inaccessible.
Nutanix, as another example, uses FDE to encrypt data at rest across a cluster. This encryption and decryption process is similar, but applied at the disk level. FDE encrypts not just data and VMs, but also logs and operating systems -- or, as its name suggests, the whole disk. This is beneficial, as logs left on a disk in plaintext can give away a lot of unintended information and, depending on the configuration, can be very active. For example, a log could easily give away enough information to provide an understanding of how a machine is used, where it's hosted and its performance capabilities.
For non-virtualized environments, hardware-based encryption, such as through a self-encrypting drive (SED) or software-based encryption -- where the encryption occurs outside of the physical drive -- are both options. Self-encrypting drives mostly subscribe to the TCG Opal framework, which also enables encryption and decryption from centralized management servers.
SEDs tend to be more costly than standard drives, so keep that in mind to compare options. However, software-based encryption isn't free and will come with a licensing cost. Software-based encryption also brings a utilization overhead, since every disk read or write operation has to decrypt or encrypt the data that is written to the disk. This means software-based encryption can be less performant than hardware-based encryption, which uses custom silicon that negates a lot of overhead.
Encryption in the cloud
Unlike on-premises environments, a VM in the cloud is one of many on a storage array and data is spread across dozens of disks data off a single disk.
Encryption methods, however, are still advisable in the cloud, and all the major providers, such as Amazon Web Services, Google and Microsoft, support encrypted cloud VMs. Again, a key management server or service enables this process, but rather than use vendor-generated keys -- which would give cloud vendors access to users' VMs -- enterprises can bring their own keys that are secured with their own passwords and access control permissions.
If the process outlined earlier, involving KEKs and DEKs, was used in the cloud, the cloud provider would control one of the keys -- which presents a potential vulnerability. To avoid this, cloud users can bring an additional key that is completely in their control, and prevents the cloud provider from being able to read customer data.