Skip to main content

Key Management, KMIP and VMware VM Encryption

Oct

18

2016

Time to read

Read so far

Written by: 

Eric Chiu

Time to read

Written by: 

busy office with workers

At VMworld in Barcelona VMware announced VMware VM Encryption as part of a larger vSphere 6.5 announcement. As a VMware partner (VMware is also a HyTrust investor) we are of course excited to see security being highlighted by VMware. I founded HyTrust in 2007 with the vision of enhancing security for VMware , which was the focus of our first product, CloudControl. While we have expanded our portfolio and do a lot more to secure private and public cloud than we did when we first started, extending and enhancing security for VMware products has always been important to us. Indeed, we earned best of show at VMworld 2015 for HyTrust CloudControl security for VMware NSX, which helps illustrate the value we bring to the VMware platforms.

We are excited to see this announcement because encryption really is a required component for any security program.  Efforts like VMware VM Encryption coming to fruition help demonstrate the importance of encryption and the mindshare it is receiving at the highest levels. That said, there is more to encryption than just encryption and we are very pleased to announce HyTrust Encryption Key Management for VMware VM Encryption.

Enter Encryption Key Management and KMIP

When you look deploying data encryption, a big part of any solution is encryption key management. Much of what you might think of as data encryption management, is actually encryption key management. Encryption key management allows a number of things associated with policy and compliance. For example, a lot of thought goes into the creation of workloads, but when it is time to retire a workload – what then? The nature of disaster recovery, backup and restore and hybrid and public cloud all imply that there may be multiple copies of any given workload floating around in a number of different places. When you have central key management, you can destroy keys associated with certain workloads (and the various copies and backups that have been made of that workload), a move which effectively decommissions those copies. No more worry, doubt or uncertainty about your data.

Another place that comprehensive key management capabilities come in handy is with compliance. Many compliance mandates, such as PCI, require encryption key rotation and best practices dictate that the more sensitive that data is, the more frequent key rotation should be performed. One of the challenges inherent to encryption key rotation is that traditional approaches often require some degree of downtime. Typically, the amount of downtime is closely related to the size of the workload – larger ones take more time, in some cases several hours or more. Not with HyTrust DataControl. We allow our customers to not only schedule and automate encryption rekey, but also do it without downtime – an important consideration for anyone running mission critical applications.

What about KMIP?

KMIP, Key Management Interoperability Protocol, is a protocol unsurprisingly designed to allow interoperability between encryption and key management systems. This would allow, for example, VMware encryption to be managed by a 3rd party encryption key management system, such as HyTrust. We are fans of interoperability standards in general and KMIP in particular. VMware has announced that vSphere VM Encryption supports KMIP and we salute them for this move.

It provides an open platform that allows their customers to select robust key management from providers such as HyTrust so that they can not only manage VMware encryption keys, but also easily pursue a multi-cloud (or what VMware calls a Cross-Cloud Architecture) private and public cloud encryption strategy. Thus the door is now open to managing encryption across private, public and hybrid cloud with a single pane of glass. 

Congratulations to our partner and investor VMware on their latest enhancements to vSphere. We welcome their efforts to make encryption easier and faster to deploy and salute their support of KMIP in this effort. We are excited to deliver and enhance the encryption and other security capabilities of vSphere and the other cloud and virtualization products including NSX, IBM Cloud, Azure, and AWS that customers may encounter on their multi-cloud journey.