VMware is without a doubt a major platform for private as well as public cloud deployments. But as in any other cloud-based system, data security, and more specifically cloud encryption and key management are fundamental building blocks.
Cloud key management and encryption requirements
We have found that external users have many of the same security requirements, whether the cloud is public or private: from an external user’s point of view, the differences between public and private clouds are technical details, and the user requires the same guarantees from the provider.
In particular, users expect to own their data. In a business context, a user is often another business. These businesses want to know that they are enjoying the benefits of the provided service, but that the provider cannot read their data.
As a consequence, cloud infrastructure must provide an ability to encrypt sensitive data, and to keep encryption keys under the control of the user. This requirement shows up in public deployments, as a requirement to control keys that encrypt disks. It also shows up in private deployments, as a requirement to control keys that are used by the software solution: each user wants to have separate keys, so that other users and the solution provider cannot read the users data. Such solutions are beginning to emerge, for example split-key encryption and homomorphic key management.
Public cloud deployments
Public providers often want to “chop” a large storage array into chunks that are usable for customers. Virtualization technology is very natural here, but the challenge is to make each “chunk” encrypted by different keys, so that customers remain in control.
A natural solution here has emerged from Porticor: Virtual Appliances are deployed on the same VMware-based infrastructure that the provider has chosen. These appliances know how to consume a LUN or VMFS, and re-expose it as a new LUN or VMFS, this time encrypted using keys that are specific to a customer. (For further details read the white paper here)
The Porticor solution actually leverages the same flexibility to carve up storage and compute – that is available from the VMware cloud infrastructure – and adds encryption and key management as a natural layer.
Private cloud deployments
Private providers often have a specific software solution in mind. Here Porticor’s ability to provide unique “tokens” for users, groups or roles – and an API that integrates with the provider’s identity & access management solution – allows individual and group identities to be maintained at the encryption layer.
Providers can offer full multi-tenancy, yet guarantee that the user’s individual data is encrypted using a key that only the user knows. The provider’s employees literally provide the service yet cannot read the data.
Summary
The flexibility of modern virtualization environments is often presented as a security challenge, but with the right technology, it can actually enhance security and offer users greater control of their data – without the hassle of managing it themselves.