Data encryption is a major part of computer security and this comes in at every form that you can think of. From where the data originates, how it is transferred, and stored long term must all be taken into consideration. Take for instance your mother's secret recipe. It was on her fridge for years so you decide to make a copy of it on your computer. Years later you donate the computer to the thrift store. Then someone checks out the hard drive and the secret recipe is used to make millions at a chain restaurant. Is this a silly example? No. It happens all the time where data is not secured and thus is exploited down the road.
Securing your data starts with where it originates most of the time. Your computer. When it comes to making sure that your computer is encrypted is usually thought of when it comes to laptops but it really does impact every computer you ever touch. In the laptop realm it boils down to the fear of the computer being stolen. Something happens at a coffee shop and the next thing you know it was stolen with no recourse. Things like this happening is why employers require laptops to be encrypted. They never know what may be permanently or temporarily stored on your laptop while you are away from the office. Its a level of insurance and safety for company secrets.
I’m going to break off here in the realm of full disk encryption in regards to full disk encryption on virtual machines. This is something that you don’t see much (these days) and most people don’t think about it. Our virtual machines are the first thing that people think about when it comes to spinning up an environment for their needs. They will then go through the process of firewall, hardening, password management, and more to make sure they are secure. As the environment grows, what about the VHD or VMDK? Backups will be taken and snapshots made. The important take away point here is the risk of whole virtual machine theft and the ease of access after they have the virtual machine file itself. Without encrypting the drive, the inside of the virtual machine file, they can mount the drive and take what they want.
There are two lines of thought here for encrypting the drive. One is to simply encrypt the HDD where the virtual machine drive files exist. This is fine except it is not protecting you. Sure if someone walks away with the physical hard drive then its useless to them but if they can copy the virtual machine hard drive while the system is turned on then you just handed them unencrypted data. The other line of thought is installing the encryption software inside of each virtual machine. In large deployments this can be a nightmare to manage. Especially if you are rebooting the server remotely and have no way to see the console for entering the encryption password. There are trade-offs for the scenarios that must be taken into account.
Finally there is concern about the speed of the HDD responses with encryption software in place. With todays encryption opens such as truecrypt (no longer supported, sad) and bitlocker, they are basically as fast as writing directly to the hard drive. In situations where encrypting the drive is not an option due to certain company requirements, you may be left with the only option of a literal lock and key. Lock down the network so they have no way to copy off the virtual hard drive and place the virtual host behind lock and key with no options for removable media.
No comments:
Post a Comment