The Big Red Easy Button
By now, most folks know that VMware offers encryption with both vSphere and vSAN and that HyTrust KeyControl is VMware’s preferred method to enable encryption for both. The fact that HyTrust KeyControl is the preferred method is a telling story. Organizations looking to encrypt are trying to do so as efficiently and simply as possible. KeyControl fits that bill perfectly. KeyControl deploys as an OVA. Simply import the OVA via vCenter\vCSA, then add the KeyControl nodes to the KMS section under the vCenter settings to enable encryption. That’s your big red easy button.
Do We Need DataControl too?
As I help to educate customers and enable partners, this question always comes up. “If we have enabled vSphere and\or vSAN encryption, do we still need HyTrust DataControl encryption?” To that, I always answer, “It depends”. It depends on what the use case is. Below are a couple of strong use cases for adopting DataControl to encrypt your VMs.
Use Case #1 – High Availability VMs: For many VM workloads, using vSphere or vSAN encryption is fine. However, if you have mission-critical VMs that are core critical to your organization and absolutely cannot afford to take the VMs offline for a long maintenance window, then DataControl is really what you are looking for.
Why: DataControl allows you to encrypt and rekey VMs on the fly. Certain regulatory compliance best practices have you rotate the keys every 12 months and some recommend every 6 months. Rotating the keys is a rekey operation. In most cases, a deep rekey is required. A deep rekey is the complete re-encryption of the entire data. Think about what this means if you have HIPAA or PCI-DSS data in your environment. You’d have to take a maintenance window each time you had to rekey your data if you didn’t have the option to rekey the VMs, live and on the fly. This would only serve to add OPEX to your organization as your IT staff would have to perform this operation after hours or on weekends. DataControl solves this dilemma by allowing you to do it without a maintenance window. Done!
Use Case #2 – Mobile workloads: VMs that require mobility and traverse from on-prem data centers to the cloud or secondary sites, will have to be decrypted before leaving the vSphere or vSAN cluster. This introduces a new risk factor. Once again, DataControl is the recommended solution.
Why: Because DataControl is an in-guest encryption solution, the policy agent will move with the VM as it traverses to and from any site, anywhere. Therefore, the VM is always protected. No need to decrypt the VM as it leaves a cluster or environment. Simply migrate it and have peace of mind. that’s it!
DataControl, vSAN, and vSphere encryption are COMPLIMENTARY
As I stated above, what you choose depends largely on what your business and technical requirements are. HyTrust and VMware encryption solutions are complimentary. Don’t let anyone tell you different. All three solutions satisfy very different encryption use cases. If you run into anyone telling you that you don’t need DataControl simply because you already have vSAN and\or vSphere encryption or vice versa, more than likely they’re not real architects or lack seeing the bigger picture. 99% of the time, organization see the value of having all three encryption methods deployed. Now VMware customers can take advantage of and fully realize the ROI of their VMware environments. This is a win-win-win scenario for customers, HyTrust, and VMware. As they say, you can have your cake and eat it too!