Recently I discussed Virtualizing Business Critical Applications and security, which includes availability, confidentiality, and integrity. However, that discussion was more about visibility into the environment for security operations. I purposely left off the discussion of gaining integrity and confidentiality of the data housed within those business critical applications. Security encompasses a great number of technologies, and those that provide integrity and confidentiality often differ from those that provide visibility into an environment which differ from those that provide availability.
Integrity and confidentiality of data is a crucial component of business critical applications. This implies there needs to be at least one method to digitally sign your data (for integrity), a means to audit who changed the data, and a way to prevent change by unknown folks. Confidentiality, on the other hand is about preventing viewing of data by unauthorized people. Within any virtual and cloud environment it is difficult at best to impose any form of confidentiality and integrity. We need to be able to encrypt the data, but also restrict (or at very least log) what data has changed and by whom.
Governance, Rick, and Compliance (GRC) applications are very good at reading log files and determining from them what has happened (or at least correlating data that MAY be what you want to look into, there is quite a bit of training involved here). In a virtual environment we have multiple ways to digitally sign or encrypt data within a virtual environment. We can encrypt data at rest either at the storage layers, within the virtual workloads, within the applications and as data enters those applications.
Business Critical Applications – Encryption throughout the Stack
There are many places to put encryption into a virtual and cloud environment. In the figure to the write we show several layers of encryption and therefore confidentiality and integrity. Any place we can put encryption we can also place digital signatures and logging to determine who accessed what, where, when, and how. We start with In App Encryption and transition to Operating System Encryption. Both of which are available within any environment today. Some have more associated risks than others.For example, VirtuStream just announced a deal with Vormetric to provide In App Encryption for SAP databases. In App Encryption often requires a detailed knowledge of the business critical application, but in most cases has already has products associated with it. In the Figure to the right, that is represented by the purple arrows. Data is encrypted within the application and sent through all the layers to the storage devices.
At the bottom of the figure to the right we have encrypting hardware, starting with encrypting host bus adapters (or ethernet devices), encrypting switch fabric (such as devices from Brocade and others), we then transition to encrypting controllers within the arrays, and eventually to self encrypting disks. However, we tend to loose the ability to set our own encryption keys the deeper we go into the hardware (not impossible, but often difficult).
This leaves use the middle ground to discuss, which is in the heart of the virtual and cloud environments: The hypervisor layers. The hypervisor layers comprise ingress and egress filters, as well as virtual switches, virtual host bus adapters, and pretty much anything presented to the virtual machine. Some address, the issue with encryption by enabling IPsec (at least for iSCSI) before data leaves the hypervisor and heads towards the storage. Others implement virtual storage devices (the red arrow), and others look into using hypervisor APIs to encrypt data at one of the filter layers (the orange arrow). The last two items in effect short-circuit the write to the storage device in order to encrypt the data within a virtual appliance which then uses a traditional method to write to the storage device.
Virtual Storage Appliances
Virtual Storage Appliances (VSA) can provide an encrypted data path once the data moves into the VSA, which is generally over some network connection (red arrow in the above figure). If the data is written from a VM within the same hypervisor running the VSA, then the data remains trapped and difficult to access, however, if the data has to cross host boundaries to reach the VSA, the data could go over the wire unencrypted. However, the same holds true if you use an encrypting fabric switch. There are two such devices for the virtual environment.
- AFORE – AFORE CloudLink provides an encrypted virtual storage appliance from which you can run your VMs. Cloudlink runs within the virtual or cloud environment and will using keys set up by the tenant (or virtual environment security administrators) provide a means to encrypt the data at rest long before the data hits the physical storage environment.
- HighCloud Security – HighCloud Virtual Machine Vault provides an encrypted virtual storage appliance from which you can run your VMs. HighCloud manages all the keys (provided by the security administrator) across clouds and within any virtual environment. HighCloud Security also provides In-VM encryption while managing the keys.
Other Methods
There are also several other methods we should consider such as encrypting the data before it enters the virtual environment and providing an encrypted store for the data from the following vendors.
- Trend Micro – Trend Micro SecureCloud provides a mechanism to encrypt critical application data at the filesystem level within a virtual machine. The keys are managed externally and kept only in memory as long as needed. Such a file system could be backed by any other method within the stack or even out in the cloud.
- CipherCloud – CipherCloud provides a mechanism to encrypt data before it enters an application using function preserving tokenization and encryption techniques./
- Voltage Security – Voltage Security provides a mechanism using standard encryption protocols and tokenization mechanisms to encrypt data on entry using format preserving encryption techniques.
- Use of Hypervisor APIs to encrypt the data before it even hits a network path, this is represented by the orange lines in the above figure, but is mostly theoretical at the moment.
In the End
At the end of the day, however, we need to find ways to encrypt or digitally sign our data while providing logging of who did what, when, where, and how. Such audit logs unless built into the encryption and digital signature tools, operating system, or application make auditing compliance difficult. The technology exists to protect our Business Critical Applications data. The question is where in the stack we are willing to place the protections and the risks associated with such practices? The need is there, the tools exist, and modern hardware makes encryption easier (Intel Westmere and newer chipsets) and faster.
Which tools do you use?