VMware: The Importance of Encrypting VMs

Last updated: 16 May 2016

This post originally appeared on SafeNet’s The Art of Data Protection blog prior to Gemalto’s acquisition of SafeNet.

At VMworld Barcelona, we’ll be showcasing security solutions for virtual environments: SafeNet ProtectV. To give you a preview of the show, we sat down with VMware’s Gargi Mitra Keeling, Group Product Manager, vCloud Networking and Security, to discuss her impressions on the importance of security in the virtual datacenter, as well as some of the activities you can look forward to at VMworld Barcelona.

What made you decide to partner with a security company? What pain points or problems were you seeing in the VMware user community?

VMware customers have a lot riding on our platform, ranging from business critical applications to virtual desktops and most recently, to the software-defined datacenter (SDDC). Customers trust us to not only provide a robust platform for all of this, but they look to us for guidance in adjacent areas, such as data security.

What customers want is choice in application deployment models whether it is a dedicated virtual cluster, mixed trust cluster, private cloud, public/dedicated cloud or public/shared cloud. But they want these options with the assurance that their data is always under their control, that rogue admins can’t walk away with their data and that industry regulators will accept their security controls, regardless of deployment model.

Encryption of data at rest has surfaced as both a requirement (as with PCI DSS and HIPAA) but also as an enabler for moving workloads to clouds where the administrator is not necessarily affiliated with the customer’s organization. In other words, our customers realize that if virtual machine data is encrypted and encryption keys are under their control, then they can move more of their apps to the VMware vCloud Suite, our cloud infrastructure platform. This means continued benefits in the form of agility, efficiency and intelligent operations management of cloud computing.

This is where data isolation and security become key. We saw encryption as a way for our customers to kickstart their journey to the cloud so they can have their data and workloads in the environment of their choice, without concerns over data security.

What made you choose SafeNet in particular?

There are a lot of security vendors out there, but we chose SafeNet ProtectV for three main reasons. First, SafeNet enforces encryption without adversely impacting common virtual machine (VM) states and workflows. Second, the encryption keys are always under the control of the customer yet they are also accessible over the network. In both cases their solutions enable workload mobility, which ultimately ties back to customer choice in application deployment models. Third, they implement a pre-boot authentication option that requires administrators to authenticate with ProtectV Manager before booting up the encrypted VMs.

Specifically, SafeNet ProtectV policy manager presents the virtual infrastructure in a way that our customers are accustomed – with a full view of VMs and their containers. Encryption policies are applied to VMs (not IP address), allowing for VMs to move to other hosts and clouds without invalidating protection. The keys used to encrypt the data in these VMs are stored in SafeNet KeySecure, a FIPS Level 3 certified network Hardware Security Module (HSM), which meets strict US government standards for key security while allowing for mobility. The ProtectV policy manager is the ‘mother ship’ that always keeps in touch with the ProtectV encryption agent in the VM and when keys need to be revoked or rotated, the manager contacts the KeySecure HSM to update encryption keys. The manager can also require that the user log on before they can launch a VM.

The end result is the customer can strictly control access to his data.

Are highly regulated organizations able to move workloads to VMs?

Interestingly enough, the financial services industry and the federal government are huge advocates of virtualization. Both have already implemented business critical applications like email, web and business productivity applications in the virtual datacenter. And many are moving forward with projects to virtualize critical infrastructure such as databases, directory services, ERP systems, and more.

These customers recognize that moving applications into the virtual environment actually improves asset management and security. When you move applications to VMs, you see a single management console – vCenter – with an inventory of all the workloads running in that datacenter. With increased visibility comes new opportunities for controlling these workloads, as with VMware vCloud Networking and Security. VMware’s network, data and endpoint security solutions combined with those of our partners, such as Safenet, are allowing our customers to move to the VMware platform with more confidence. Far from adding complexity, having everything in one location makes managing, auditing, and securing those apps much less complicated.

SafeNet ProtectV for VM EncryptionHow can security solutions like ProtectV and KeySecure help VMware customers?

ProtectV addresses that checkbox for encryption of sensitive data at rest, but it does more than that. It honors the mobility of data in the virtual datacenter and across clouds. By encrypting data, users can uphold the traditional benefits of virtualization and still mitigate security risks.

With KeySecure, the bottom line is that our customers own their keys, no matter where their data resides.

SafeNet and VMware are both going to be at VMworld Barcelona next week. Can you tell us a little about what you’ll be doing at the show?

I encourage attendees to visit our respective booths to see demos of VMware vCloud Networking and Security and SafeNet ProtectV. ProtectV is currently fully integrated in vSphere, but the demo shows how ProtectV can work with vCloud Networking and Security to combine the value of VMware’s network isolation and Safenet’s data isolation solutions. Attendees can learn more about the future of VM security.

My colleagues and I are also presenting at several sessions throughout the conference, but I think the sessions that will be most beneficial for attendees interested in learning more about security for VMware cloud infrastructure are as follows.

If someone wants more information about data security for VMs, where can they go?

You can visit SafeNet at stand S102 for demos of both ProtectV and KeySecure (encryption key management), or attend a VM security webcast I’m presenting with SafeNet on October 18: Virtualization and the Cloud: Encryption enables a fast and secure migration.

To learn more about how SafeNet solutions integrate with VMware, check out our VMware partner page.

Leave a Reply

Your email address will not be published. Required fields are marked *