The new VM Encryption tool in vSphere 6.5 goes beyond standard VM-level security by performing the encryption at...

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

the hypervisor level.

Doing the encryption at the hypervisor level instead of in the virtual machine makes encryption agnostic, as well as policy-driven -- VMware VM Encryption is managed via storage policy. While the main purpose of the tool is to enhance security, it means encryption is no longer an all-or-nothing proposal; encryption of the storage area network or underlying storage are no longer the only options.

There is a small overhead for VM Encryption, though this is to be expected in any encryption system. For what it's worth, I hardly noticed the overhead during my experimentation with ESXi encryption.

Implementing VM Encryption is quite simple. You can easily set up a basic proof of concept (POC) implementation for the encryption infrastructure, as VMware has designed the underlying cryptographic system to use third-party plugins. VMware's current list of approved vendors includes RSA and Symantec, as well as several others. There is currently no VMware implementation.

Before implementing the encryption system, it's important to understand how VM Encryption works. Put simply, the encryption is handed from the encryption VM to its client, the vCenter.

Setting up the cryptographic back end is straightforward. Most vendors will ship a VM appliance that can be installed, powered on and configured. Since configuring the cryptography for each of the vendor plugins is beyond the scope of this guide, I simply used the modified POC encryption manager that VMware released to beta testers.

This test version only keeps encryption keys for the duration of the machine's uptime. This is just a demonstration system and the encryption key will be lost upon reboot, so don't encrypt any machines you actually use. The best way to avoid running into trouble is to create a couple of test VMs.

Before implementing the encryption system, it's important to understand how VM Encryption works. Put simply, the encryption is handed from the encryption VM to its client, the vCenter. The vCenter then provides keys as needed to the ESXi hosts. These are stored in a secure manner to enable you to unlock the VM. The keys are never written to the disk on the ESXi host. However, the intermediate keys for locking and unlocking the VMs are stored in a secure encryption enclave.

To set up the encryption server, you need to set up a Linux host with Docker. Once you've done this, pull down the Docker image and run the instance with the following command:

sudo docker pull lamw/vmwkmip

sudo docker run --rm -it -p 5696:5696 lamw/vmwkmip

At this point the Docker image should be running on port 5696.

Now that we've covered how encryption is applied, let's look at how to set up the infrastructure. First, add the Key Management Service (KMS) server to the vCenter by going to the top level of the vCenter configuration menu and selecting Key Management Servers from the hyperlink on the left.

This will bring up a dialog box that allows you to enter KMS server details. The exact details will vary, and some KMS server configurations may require a username and password. We don't need to use one in this instance. The server address should be that of the Ubuntu server. The port used for this example is 5696.

Once you've submitted the KMS details, you'll be prompted to accept a certificate; accept this, and KMS will be set to the default.

At this point, the cryptographic configuration is complete. However, a single KMS is a single point of failure, therefore, I recommend configuring a minimum of two. Do not encrypt the vCenter or it will prevent vCenter from booting. You need to avoid this because vCenter is a key component of the cryptographic infrastructure.

The next step is to create an encryption storage policy. If you navigate to VM Storage Policies, you'll see a new storage policy titled VM Encryption Policy. There are several options that you can modify if necessary.

At this point, you can encrypt the VM. It's best practice to only encrypt the disks; it's possible to encrypt other items, but it's unadvisable unless you have an overriding reason to do so.

From here on out, encrypting the VM is clear-cut. Before encrypting a device, you must first power it off. Navigate to the VM you plan on encrypting and right-click to edit its setting and expand the disks to encrypt. Select the VM Encryption Policy from the VM storage policy drop-down menu.

Disabling VM Encryption is as easy as changing the policy to the default data store policy. Again, you must power off the VM to perform the necessary actions.

There are a few caveats to using VM Encryption. For one, it does not support exporting encrypted VMs to open virtualization format. The use of cryptography on a per VM basis is dependent on the business and security requirements of the company in question. Exercise caution when implementing the encryption and make sure you fully understand and recognize the ramifications and functionality of encryption.

NSX leads the pack for VMware security

Explore ESXi hypervisor security features

What's next in the world of cryptography?

Follow this link:

Set up VMware VM Encryption for hypervisor-level security - TechTarget

Organizations are adopting encryption at a rapid and increasingly urgent pace. Why? Because encryption helps organizations support dynamic industry regulations while also protecting sensitive data thats placed in the cloud.

The trend of adopting public cloud solutions continues to grow, but protecting critical data in the cloud is still a major concern. Its critical to protect data against external breaches and unauthorized access by cloud service providers. Collectively, organizations are diligently working with consultants and suppliers to implement solutions to keep their data safe.

In many specific instances, companies want to prevent their data from being accessible to cloud service providers (CSPs). However, organizations are now facing a new dilemma: What are they supposed to do when they want to permanently delete their data in the cloud?

Regulatory compliance and cloud data protection are two driving reasons for establishing encryption and encryption key management strategies. Furthermore, in the new world of cloud data security, the old concept of a castle has become ineffective; the concept of a curated museum is much more applicable to cloud data security. In this new world, organizations want to share data appropriately with many users and platforms without running the risk that it will be taken, changed, hijacked, destroyed or accessed by unauthorized users.

Learn more about Multi-Cloud Data Encryption

To complicate matters, the value of data can change quickly. As we know, information such as quarterly financial data has high value prior to its disclosure, but the necessity to keep it private significantly declines once the announcement of financial performance is released to the market. However, other data, such as pharmaceutical trial data, HR information from divested organizations and historical notes on litigation proceedings, can quickly become a liability if it is unintentionally disclosed to the wrong party after the collective work on these efforts has been completed.

When you combine the need for privacy, the desire to collaborate using shared data and the trend of leveraging cloud applications and storage, you can see the need to not only protect cloud-based data, but also to manage it throughout its entire life cycle, from creation to destruction. Furthermore, in the case of cloud deployments, this process needs to be managed and controlled in an environment that is not physically under your control. This last requirement raises the following questions:

Encryption has historically been used to protect data against unauthorized use. However, encryption can effectively erase data as well. This is called cryptographic erasure.

The National Institute of Science and Technology (NIST) released Special Publication 800-88, Revision 1: Guidelines for Media Sanitization, which detailed how encryption is part of media and data sanitation.

If strong cryptography is used, the publication stated, sanitization of the target data is reduced to sanitization of the encryption key(s) used to encrypt the target data. In laymens terms, this means that if the data is encrypted and you destroy the keys, the data is erased.

Of course, there are some qualifiers to claiming sanitization by cryptographic erasure. First, you must ensure that you have encrypted the data from the moment it was originally stored. Next, verify that you have exclusive access to all data encryption keys and ensure that all keys are wrapped under one or more wrapping keys. Finally, delete the wrapping keys to render the data encryption keys and data itself unrecoverable. Fortunately, these steps are not difficult to follow if you have the right tools.

For example, if you have a petabyte of data that has been encrypted from the moment it was placed in the cloud and control over the wrapping keys that protect the data encryption keys, then when you delete the wrapping keys, you render data encryption keys and the petabyte of data useless. This happens regardless of where the data is stored or whether you can even access the storage environment. In other words, you can effectively erase a petabyte of data by deleting just a few kilobytes of keys. Thats cryptographic erasure, and its powerful.

Naturally, you may want to recover the petabytes of bits associated with your now-useless data. Why pay to store petabytes of random bits? However, that is secondary to the erasure of the data itself.

The logistics of implementing cryptographic erasure fundamentally requires the system that stores and encrypts the data to be separate from that of encryption key management. Leveraging key life cycle management software packages helps maintain separation of these duties and functions.

Keeping your encryption engine separate from the encryption keys, as well as keeping the keys well-managed, is not just a best practice, but also keeps you on the right side of regulations and helps protect your most precious assets your encryption keys and encrypted data from threat actors. Remember that storage is inexpensive, but data is becoming infinitely more valuable, both as an asset and a liability. Control your data, protect it and ensure that it has a clear life cycle that you control.

The future architecture of data protection is clearly modular. We need to:

Following these practices ensures that your data, protected through encryption, will provide value through its lifetime and can be securely deleted when no longer valuable.

To protect data in a multicloud environment, organizations should still focus on implementing centralized policy management as well as centralized key management.

Guardium for Multi-Cloud Data Encryption offers the ability to encrypt cloud data across multiple clouds. It also integrates with IBM Security Key Lifecycle Manager. This combination of local but highly redundant key management, and the ability to concurrently manage tens of thousands of encrypted file systems or volumes in multiple clouds, gives organization the tools they need to protect and manage the entire life cycle of data regardless of where it resides.

Learn more about Multi-Cloud Data Encryption

Read this article:

How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog)

I wrote yesterday about reports thatpeople in the White House are using encrypted communication apps more often, and why that might be. Today I want to follow up by talking about how the politics of encryption might affect government agencies choices about how to secure their information. Ill do this by telling the stories of the CIOs of three hypothetical Federal agencies.

Alice is CIO of Agency A. Her agencys leader has said in speechesthat encryption is a tool of criminals andterrorists, andthat encryption is used mostly to hide bad or embarrassing acts. Alice knows that if she adopts encryption for the agency, her boss could face criticism for hypocrisy, for using the very technology that he criticizes. Even if there is evidence thatencryption will make Agency Amore secure, there is a natural tendency for Alice tolook for other places to try to improve security instead.

Bob is CIO of Agency B. His agencysleader has taken a more balanced view, painting encryption as a tool with broad value forhonest people, and which happens to be used by bad people as well. Bob willbe in a better position than Alice to adopt encryption if hethinks it will improve his agencys security. But he might hesitate a bit to do so if Agencies A and B need to work together on other issues, or if the two agency heads are friendsespecially if encryption seems more important to the head of Agency A than it does to the head of Bobs own agency.

Charlie is CIO of Agency C. His agencys leader hasnt taken a public position on encryption, but the leader is known to be impulsive, thin-skinned, and resistant to advice from domain experts. Charlie worries that if he starts deploying encryption in his agency, and then the leader impulsivelytakes a strong position against encryption without consulting his team, the resulting accusationsof hypocrisy could anger the leader. That might cost Charlie his job, or seriously undermine the authority he needsto properly manageagency IT. The safe thing for Charlie to do is to avoid deploying encryptionnot only to preserve his job but also to protect the rest of the agencys IT agenda. If Charlie doesnt change the agencys practice, then criticism of the practice can be deflected onto the previous leaderand of course well be upgradingto the better practicesoon. Here the uncertainty created by the leaders management style deters Charlie from changing encryption practice.

Lets recap. Alice, Bob, and Charlie are operating in different environments, but in all three cases, the politics of encryption are deterring them, at least a little, from deploying encryption. Their decision to deploy it or not will depend not only on their best judgment as to whether it will improve the agencys security, but also on political factors that raise the cost of adopting encryption. And so their agencies may not make enough use of encryption.

This is yet another reason we need a serious and specific discussion about encryption policy.

Follow this link:

How the Politics of Encryption Affects Government Adoption - Freedom to Tinker

Encryption could soon become part of national debates over consumer issues ranging from data breaches to the safety of connected cars.

Not long ago, it was the sort of thing that only bankers, spies, and military leaders worried about. But, in today's digital world, encryption has become part of our everyday lives, protecting our ability to shop online, book flights, and hold private conversations.

According to Mozilla, the open-internet advocacy group that created the Firefox browser, 49.5 percent of global web traffic is now encryptedan increase of more than 10 percent in one year.

While security experts applaud that progress, they'd like to see even more encryption, to cut down on data breaches, identity theft, and the sort of hacks that could perhaps threaten the nation's power plants.

But not everyone views encryption as a force for good. For law enforcement officials, it's also a tool that allows thieves and terrorists to escape detection.

With a new administration in the White House, one vocal about fighting crime and stamping out terrorism, the debate over encryption's merits may soon surface once again.

Encryption may be central to many everyday transactions, but the issues can be tough to follow. Heres your cheat sheet.

Originally posted here:

Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org