Virtual Machine Encryption
In a world where hyper-converged infrastructure and virtualization have become the norm, the requirements for encryption have become higher and more urgent, and major security issues and methods that IT departments need to consider have also emerged.
In the era of physical data centers, adopting a double-insured data security method is a relatively simple and intuitive solution. For example, in addition to the encryption of individual files and directories, full disk encryption (FDE) is also performed on the on-site server to ensure that any hard drives that leave the data center for repair or disposal are protected—to eliminate potential risks of customer data exposure.
But in today's hyper-converged infrastructure (HCI) and virtualization world, workloads are virtual, dynamic, mobile, scalable, and fragile. All of these make it more difficult to maintain data security.
Why protect virtual machines?
The rise of virtualization and HCI has changed the rules of the game, allowing IT teams to quickly deploy mixed workloads and virtual desktop infrastructures in local and remote locations.
In this respect, a hyper-converged system that combines computing, networking and management software in one device is basically a "mini cloud in a box", and its benefits are beyond doubt.
But although HCI equipment is still hosted on site, their workloads often run in virtual machines rather than directly on physical hardware. In other words, what really needs to be protected now is the virtual machine and the data in it, not the physical machine itself.
The major security problem faced by the IT team is that the virtual machine is switched on and off very frequently, and it is often in a static data state. When the virtual machine is shut down, it is actually a large file that can be copied to a USB flash drive or shared on the network, with data security problem hidden inside.
The solution is simple, just encrypt the virtual machine itself directly. Ideally, it’s the client machine independent of the hypervisor used for encryption and the key is under the control of the company. This ensures that even if the virtual machine is moved to another HCI node, for example, to a public cloud or another geographic location, the company still has the access to control over the data at any time.
Benefits of encrypted virtual machines
Encrypting virtual machines is good for the IT team and the entire company. By providing a highly scalable method to ensure that protection follows corporate data, it is easy to extend protection to every newly added virtual machine.
Moreover, virtual machine-level protection not only protects against the loss or theft of physical hard drives, but also helps IT teams prevent unauthorized data transfer, access, or copying.
There are five more far-reaching advantages of using virtual machine-level encryption methods.
Unlike physical-level protection where there is no encryption for the workload in transit, virtual machine-level encryption can provide continuous protection when the workload is moved, cloned, or snapshotted in the enterprise infrastructure.
Virtual machine-level encryption eliminates the risk of being restricted by hardware, virtual machine managers, or cloud providers, and provides ideal and fully portable protection for mixed IT environments and workloads in transit.
IT departments can use virtual machine-level encryption to encrypt sensitive workloads and execute them safely together with non-sensitive workloads, assigning different keys and policies to different virtual machines.
By initializing virtual machine-level encryption, the IT team can also implement a boot-based strategy to control who can access the data, where the data is stored, and how to protect the data.
Easy to terminate
Virtual machine-level encryption can also safely terminate a single workload, in a simple and straightforward way to terminate when the workload ends.
Newly implemented strict privacy legislation, such as the EU’s General Data Protection Regulation (GDPR), raises the risk of companies processing and storing EU citizens’ personally identifiable information (PII).
Therefore, companies need to take appropriate measures to ensure that such sensitive data does not appear in the public domain. However, in the world of virtualization and hyper-convergence of IT environments, the attack interface has also expanded significantly, and data protection has become the top priority of companies and enterprises.
The solution is to ensure that the protection follows the data by using client encryption and putting the key under the control of the enterprise itself. As we have seen, virtual machine-level encryption not only protects the workloads inside and outside the enterprise infrastructure, but also provides many other advantages, including facilitating the process for IT departments to control all aspects of data security, and ensuring that data can only be accessed by authorized users, even if the cloud system has been hacked.