Tales From the Virtual Crypt

Complexity, key management, and lack of comprehensive offerings from vendors are a few of the challenges faced by users looking to encrypt their virtual data.

The heart of the problem is that multiple virtual machines often appear as a single entity to the storage fabric, making it difficult to encrypt individual applications.

"With virtualization, it's hard to encrypt on a user-by-user and an application-by-application basis," warns Eric Ogren, analyst at the Enterprise Strategy Group. "In a virtual server, you could be running multiple operating systems and applications using the same storage."

"Today, from a Fibre Channel perspective, all the different virtual machines look like one server," says Dore Rosenblum, vice president of marketing at encryption specialist NeoScale.

Users acknowledge the potential problem as they crank up their virtualization strategies. "From what I know about encryption, I would say that it would be a valid concern," says Sasan Hamidi, CSO of Miami, Fla., travel firm Interval International. Hamidi's group is in the early stages of rolling out VMware's ESX Server, although they have yet to encrypt any virtual data.Another source says security issues could be a disincentive to virtualization. "If encryption were to be a problem for us, it would probably severely impact our move towards virtualization," says Shlomi Harif, director of network systems and support at Austin Independent School District, which is testing the technology.

Virtualization leader VMware, for its part, is attempting to address the encrypton issue by working with HBA vendors on a technique that allows the HBAs to preserve the distinctions between virtualized applications. At the recent VMworld show, the vendor announced a partnership with Emulex based on the latter's LightPulse Virtual HBA, which will be available for VMware users in the first half of 2007. (See Emulex Teams With VMware.)

The idea behind the Emulex deal is that each virtual machine can access a dedicated HBA, effectively opening up the virtual infrastructure to fabric switches from the likes of Brocade, Cisco, and McData. In this way, applications running on virtual machines no longer appear as a single entity and can be individually encrypted.

But Hamidi is concerned that the additional layers of software required to achieve this will slow down his data encryption. At the moment he can encrypt non-virtual data almost instantaneously -- anything slower than that would be a problem for him. "In our environment we have a high number of files that contain credit card information that needs to be encrypted on the fly," he explains.

The other big encryption issue for users is key management, which, ironically, presents its own security threats. "The underlying premise of virtualization is shared memory space," explains Hamidi. "Theoretically, I could expose another application that shares the same memory and encryption keys."ESG analyst Ogren says the sheer complexity of managing multiple encryption keys will be a major headache for users of virtualization. Key management has already been highlighted as a challenge by CIOs encrypting physical data, and Ogren warns that virtual machines give users even more keys to worry about. (See Orlando, Observed and Security Smorgasbord on Show.)

"The challenge is using keys to manage different applications running on the same machine," he says. "The big thing is working out how the keys interrelate -- how do you modify keys and change them as the system goes forward?"

The analyst warns that this is particularly tricky in the medical sector, where some records may need to be kept for 100 years, while others may only need to be kept for much shorter periods. Data lifespans also are subject to changes in compliance regulations such as the Health Insurance Portability and Accountability Act (HIPAA). (See Retention Rules Set to Change, Top Tips for Compliance , and Content Capture Considered.)

Continue to Page Two

Vendor Neoscale has attempted to address the multiple key issues by teaming with Symantec, Optica Technologies, and Entrust to create software that manages encryption keys from different vendors. (See Multivendor Management Locked Up, All Keyed Up With NeoScale, NeoScale Centralizes Management, and NeoScale Faces Up to 4-Gig Encryption.)NeoScale exec Rosenblum told Byte and Switch that the vendor is also working with the Trusted Computing Group on an open Application Programming Interface (API) for the keys that could be used to tie an encryption key to a specific virtualization engine. "That allows you to manage keys from anybody that supports the open API."

Given the problems related to encryption and virtualization, it's not surprising that products don't combine virtualization, encryption, and storage management today. "There's no one vendor providing comprehensive encryption and virtualization -- certainly, none springs to mind," says Dan Tanner, president of the New England Chapter of the ASNP and founder of consulting firm ProgresSmart.

These sentiments are echoed by StorageIO Group analyst Greg Schulz. The big challenge, he told Byte and Switch, is how users manage virtualization, including underlying storage and encryption keys. "There is no silver bullet," he adds, explaining that IT managers must rely on a mishmash of different products.

Even VMware has made only tentative moves in this space. Indeed, VMware is only just now dealing with the encryption issue at all. It has combined virtualization and encryption on its Assured Computing Environment for the Enterprise (ACE) product for laptops. (See VMware Delivers ACE.)

"ACE encrypts the entire laptop," explains Srinivas Krishnamurti, VMwares director of product management and market development. "We use some tricky stuff that I can't go into," he says, although he confirms that VMware developed the 128-bit encryption software itself.When will VMware start looking to incorporate encryption on data center virtual servers, doing for itself what the HBA partnerships are intended to do presently? Krishnamurti won't be specific. "That's obviously an active project for us, but I can't talk about dates and products," he says.

— James Rogers, Senior Editor, Byte and Switch