A conversation I often have at conferences I attend or customers I visit is whether or not there is a need to encrypt physical servers on premise, rather than just certain files and directories based on the data they hold.
The argument often given for not needing to encrypt physical servers is usually that these servers run for weeks, months or even years without being brought down, and that they are physically protected within a well-fortified data center. The protection that FDE (Full Drive Encryption) brings only really applies to data at rest and it seldom is at rest on these servers.
My response to this argument is that all drives eventually leave the data center for repair or disposal and having them encrypted protects you from having your old drives with your customer data on them show up on eBay. It also makes that decommissioning process even easy, as an encrypted drive can be quickly and easily crypto-erased if it is still operational, and if in some dramatic failure of process these does not happen, the data is still not accessible without the encryption key.
Of course, this is far from the only reason to consider FDE, with regulatory and compliance requirements so high on the agenda of most companies. An example of this, is May 2018 where companies will be required to adhere to the new EU General Data Protection Regulation (GDPR) if they process or store personally identifiable information of EU citizens.
Another reason is the advances that have been made in virtualization, and in particular, hyper converged infrastructure (HCI) which have seen the attack surface greatly expanded and therefore the need for FDE has greatly increased.
A hyper-converged system is a pre-configured virtualized server platform that combines compute, storage, networking, and management software in a single appliance. Hyper-convergence enables you to simply and rapidly deploy mixed-workload and virtual desktop integrated infrastructure solutions across local or remote locations. i.e. HCI effectively represents a mini cloud in a box that can be connected to other HCI boxes.
HCI boxes are still physical things kept on premise, and the argument above for protecting them with FDE still applies. However, the argument for not encrypting them does not. HCI workloads run in virtual machines (VMs) on top of the hypervisor, not directly on the physical hardware. It is the VM and its data that needs protecting.
In today’s fast-moving environment, the VMs come up and go down much more often than physical machines. In some cases, VMs come and go several times a day. When an admin takes a snapshot of a running machine or turns it off, that VM is at rest and a VM at rest is just a big file. It can be copied onto a USB memory stick or over the network. In fact, one of the advantages of HCI is that workloads (or VMs) can be moved around easily from HCI node (box) to HCI node.
Looking forward, HCI vendors are working with the public cloud providers, such as Google, to move workloads seamlessly back and forth between on premise and the public cloud. So, unlike physical servers VMs can move around a lot and often are in a data at rest state. This is the perfect application of FDE, but not at the physical (hardware) level. If we encrypt only at the physical level, the only protection we get is for the disposal or loss of the physical drive. However, the VM is easy to move around, and is still in plain text if copied even when using physical level FDE.
The key to solving these problems is to encrypt the VM itself, preferably with in-guest encryption that is independent of the hypervisor with the key under the control of the enterprise. This way even if the VM is moved to another HCI box – perhaps in another country or even into a public cloud – you retain control of the data, and can decide whether to provide the key to decrypt and unlock the VM.
Taking this approach to encrypting VMs for HCI, creates a number of advantages for the IT department and wider business:
- Scalability: VM-level encryption is highly scalable. Protection actually resides with your data and scales with each new VM brought up.
- Security: Physical level encryption protects against lost or stolen physical drives. VM-level encryption protects against lost or stolen physical drives, unauthorized data movement, access, replication, etc.
- Continuity: With physical level encryption, workloads are decrypted (unprotected) in-transit – no continuity in security model. VM-level encryption protects workloads continuously, persistently as they move, clone, snapshot across your infrastructure.
- Portability: Physical level encryption is reliant on exactly that, your hardware – but what about hybrid IT and workloads in-transit. VM-level encryption eliminates lock-in to hardware, hypervisors or cloud providers – it is completely portable protection.
- Flexibility: VM-level encryption allows you to encrypt sensitive workloads and run them securely alongside your non-sensitive workloads. Different keys and policies can apply to different VMs.
- Governance: VM-level encryption enables boot-based policies so you can control, who can access your data, where your data resides and how it is protected.
- Termination: VM-level encryption allows you to securely terminate individual workloads as you are finished with them – it’s simple.
To summarize, in the old world some could rationalize not encrypting their physical servers, because there are compensating physical controls such as locked doors and sturdy walls. In today’s world with HCI and virtualization, workloads are virtual, dynamic, mobile, scalable and vulnerable. The solution is to protect them with in-guest encryption with keys under the control of the VM owner.
The simple truth of today’s IT environment is if you don’t want to see data in the public domain, then you must encrypt it – it’s the last line of defense. If a breach happens to you, the excuse of a virtualized or HCI environment will fall on deaf ears: embracing the right technology for your business, brings with it the responsibility of protecting it.