Thales e-Security Blog

The Case for Best Practices Key Management in Cisco HyperFlex

Hyperconverged infrastructure adoption has grown tremendously over the past few years, and for good reason. Solutions like Cisco’s HyperFlex can provide cloud-like simplification and savings with on premises data center-like scale, performance, and reliability; the best of both worlds. And, like any enterprise computing environment, the encryption of sensitive data has become a fundamental requirement. Cisco has addressed this with its self-encrypting drives within Cisco HyperFlex, which includes basic encryption key management as a vital line of defense.

While this native on-disk key wallet can be sufficient for some customers, they increasingly require more robust best-in-class key management to ensure data security. For these, Thales eSecurity and Cisco have worked together to utilize the Key Management Interoperability Protocol (KMIP) standard to integrate the Thales Vormetric Data Security Manager (DSM) with Cisco HyperFlex.

DSM centralizes management and policy for all Vormetric security platform products, including key management. And, the important data security point to make here is that Vormetric Key Management goes well beyond the basics, providing advanced capabilities such as separation of duties, securing keys separate from data, backups, redundancy and resiliency, standards compliance, as well as key management for disparate data environments. These are all elements of “best practice” key management.

Separation of duties ensures that key authority is limited to the people within those roles and that their authority cannot extend to areas they don’t have responsibility for.

Separation of keys from the data (not stored on the same disk) aids compliance with regulations and standards such as PCI DSS, HIPAA and others.

Maximizing key availability and redundancy, leverages secure replication of keys across multiple appliances with automated backups. Automated alerts help prevent unexpected key expiration.

FIPS 140-2 compliance safeguards cryptographic keys. By separating key management from storage management, organizations can establish strong safeguards and separation of duties.

Unified key management ensures that as the use of encryption continues to expand throughout an enterprise, a single key management system expands with this, especially to include disparate systems. Distributed, insecurely managed keys can severely compromise or eliminate any of encryption’s security benefits. Another advantage of centralized key management with DSM is that Thales not only centrally manages keys from Cisco HyperFlex, but also from third party applications and devices. Plus, additional advanced Thales data security capabilities can be deployed from the same DSM platform, such as Vormetric Transparent Encryption. This fosters consistent policies, aids in compliance, eases management, and reduces training and maintenance costs.

For more information on the Thales eSecurity and Cisco solution, please click here.

For more information on Vormetric Data Security Manager and integrated key management, please click here.