As we evolve more and more to complete self-contained services like the mainstream Cloud services of Microsoft, Amazon, IBM and Google, I often express concerns about the Cyber aspects being coupled. Enterprises and users are, if they haven’t already, getting more and more comfortable with giving up their physical/virtual servers, applications and storage but are not, and should not, be comfortable giving up control of their sensitive data. The shared responsibility models of Cloud Services Providers (CSPs) delineates between the physical aspects (network, disks, memory, etc.) and the responsibility of what resides in the storage and computer.
Having security and compliance as merely a tick box function to the service from the IaaS cloud vendor is a risky proposition for enterprises and severely diminishes the obligation of responsibility around security. The call is for independent enterprise controlled security. And here’s why:
- Cloud Service Providers provide security/encryption for the CSP controlled Hypervisor
- Hypervisors contain vulnerabilities, flaws
- CSP’s control the Hypervisor, so the addition of exploitation by malice or on behalf of a government mandate is possible
- Encrypting at the Hypervisor is too low-level to prevent the virtualization administrator from seeing the data
- Encrypting at the Hypervisor opens any Hypervisor base attack to leave the encryption, meaning a hacked Hypervisor exposes encryption as it is a function of the Hypervisor
A more logical approach is to employ better key protection. In-guest encryption provides the best independent encryption methodology for protecting your cloud workloads. In-guest is separate from Hypervisor; which, allocates virtual memory partitions per VM and can expose, through administration or “hacked” Hypervisors, the encryption keys in active memory. In-guest increases the difficulty and reduces the chances of a memory hack.
The other benefit that in-guest encryption offers over Hypervisor is portability. When we perform encryption with in-guest, you can preserve the encryption and take it wherever you want (across clouds, etc.), and it also works very well within a Hybrid setup, DR set-up, etc. Hypervisor-based encryption restricts you to certain Hypervisors, cloud and hardware.
A platform that is cloud agnostic, with enterprise controlled key management and in-guest encryption, is the best approach to your most compliance-centric, independent, robust encryption requirements.