Virtualization administrators demand a balance between security, performance and usability in their data protection tools, and VMware aims to address that need with the encryption capabilities in vSphere 6.5 and vSAN 6.6.
In a world increasingly aware of security, data protection has become a priority. A key feature is encryption; In fact, 38% of IT managers are planning an encryption security initiative this year, according to the TechTarget IT Priorities Survey 2018. With vSphere 6.5 and vSAN 6.6, VMware includes encryption capabilities that can help meet that demand. Although VMware's encryption features are unlikely to drive vSphere or vSAN adoption, they largely meet the needs of IT administrators, experts say.
"I would not say that administrators are crazy about that, but it has provided a capability that previously had been missing," said Stuart Burns, a virtualization engineer at Marsh, a New York-based insurance and risk management brokerage firm.
Encryption in an insecure world
After one of the most significant data breaches in years, the interim CEO of Equifax admitted in an audience in Congress that he had not encrypted the data at rest. Many organizations still do not encrypt critical data, when, in reality, they should encrypt everything, said Burns.
"There are so many ways in which data can be lost, and once the data is lost, that information will be available forever," he said. "If it's encrypted, you do not have that problem anymore, it's lost, but that information is unlikely to be useful to anyone."
Encryption also reduces the consequences of misplacing devices and social engineering by coding information and rendering it worthless to anyone lacking the unique tools to read it. A key management service (KMS) allows IT to control the keys that make the encrypted data readable.
VM-level encryption in vSphere 6.5
VSphere 6.5, released in 2016, gives administrators the ability to encrypt virtual machines at the hypervisor level. Previously, encryption with vSphere required third-party hardware or software and did not achieve the same level of granularity. This feature takes a moving data approach and encrypts the I / O when it reaches the disk of a virtual machine before traveling to the kernel storage. All files in the VM, including configuration files and snapshots, are stored in encrypted folders.
One of the most attractive features of native vSphere encryption is its ease of use, Burns said.
"Someone who has reasonable knowledge of VMware [and] vSphere can implement it," said Burns, who used it in about an hour and a half.
Encryption allows the principle of minimum privilege, which limits the visibility of data exclusively to those who need it. In vSphere, this ensures that even virtualization administrators only have access to the data they need, which makes their credentials less valuable targets for hacking and social engineering, said Ed Haletky, principal analyst at The Virtualization Practice.
"It's a necessary addition and closes a space where a virtualization administrator can see all the data," he said.
VMware encryption in vSAN 6.6
VSAN 6.6 added the native data encryption at rest at the hypervisor level, integrated into the vSAN kernel and encrypting the entire data store. Unlike vSphere's moving data approach, vSAN encrypts the entire volume instead of individual virtual machines.
VSAN encryption is hardware independent and works with hybrid and full flash configurations. You can also take advantage of other vSAN features, such as deduplication and compression.
Both vSphere and vSAN use the same encryption library and allow IT to use the same KMS between them. VMware does not provide its own KMS, but vSphere and vSAN work with a multitude of providers.
The primary use case for both VMware encryption features is that SMBs seek to add functionality to existing VMware infrastructures, Burns said. As more of these companies adopt a hyperconverged infrastructure, vSAN encryption could help position the VMware platform as an attractive option. But, for the most part, organizations are unlikely to invest in vSAN primarily because of this characteristic, Burns said.
Performance effects, limitations of VMware encryption
The performance of the VM is always a concern when implementing security functions. VMware claims that vSphere encryption does not significantly affect I / O performance, and modern processors generally mean that the problem is no longer a big concern for IT anyway, Haletky said.
However, VSphere encryption can create bottlenecks for some high-performance devices, such as advanced non-volatile express memory drives, according to VMware. Still, those devices are not a great use case, Burns said.
"The people who are going to use VMware vSphere encryption are not people who are going to use very low latency material and high I / O high performance," he said. "You do not want to give up performance for security, if you can avoid it."
As VMware stores consider implementing these encryption features, the main drawbacks involve the required planning. When encrypting VMware in vSphere, administrators must adjust their workflow.
"Current implementations of VM encryption require a reboot of the virtual machine to encrypt the drives, so it must be planned to add update cycles," Haletky said.
Another challenge is the license. Organizations must have at least one vSphere Enterprise Plus license and one vSAN Enterprise to take advantage of native encryption.
VMware encryption may not generate business investment in vSphere or vSAN alone, but the utility of these features helps complete a security portfolio that becomes more crucial to IT every year.
"Encryption is increasingly important," said Burns.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.