This blog series focuses on different aspects of Cisco HyperFlex. In today's blog we'll go over the main types of encryption we implement, what they are and why they're vital to an organization's data encryption strategy. Most organizations today understand the table-stakes nature of data encryption that protects sensitive information, even in the event of a data leak. And we've all winced at the headlines when data breaches do occur and result in reputational, if not real damage to companies and organizations.
There are a number of encryption capabilities protecting HyperFlex clusters that have been developed with stringent hardware and software guidelines in place. These include Self Encrypting Drives (SEDs) and Cisco HyperFlex Software Based Encryption (SWE), which is a native feature of the HyperFlex Data Platform. Both type are data-at-rest (DARE) implementations. Additionally, Cisco has also qualified various Key Management solutions using VM-level encryption from 3rdparty partners like Gemalto and Vormetric (both parts of Entrust as of this writing). These various key managers are only for SED based systems since Cisco's software encryption solutions use the Intersight integrated key manager.
Encryption on a Hyper-converged system like Cisco HyperFlex uses data-at-rest encryption whether it is using SEDs or via HyperFlex native software encryption (SWE). These systems are storage devices with all relevant services rolled into the appliance (compute, memory, networking). Encrypted communication between HyperFlex clusters, for example with backup or replication, is the purview of the intervening network devices and solved using IPSEC, VPN or similar technologies.
HyperFlex Data Platform Software Encryption uses industry standard strong encryption algorithms and is compliant with US Federal certification requirements. It also takes advantage of Cisco HyperFlex's unique features and cloud technologies. A distinguishing feature of HyperFlex SWE is its ability to work with HyperFlex storage optimizations that have been available from day one. Using post-process encryption like transparent clients on guest VMs or application-level encryption cannot afford the advantages that HyperFlex SWE offers in this regard since they take place once data is written to disk. Inline encryption in the write IO path offers all the HXDP storage optimizations that are otherwise present in unencrypted, or SED based deployments.
While encryption is extremely important for an overall excellent security posture, it is not a catch-all. Encryption does not protect against direct breaches of the HyperFlex Controller VMs or exploits that occur upstream of the storage stack, for example, in the hypervisor, guest VMs, or VM based applications. Protection of these software assets are a normal part of regular due diligence and are mitigated by timely patching and hardening of these components.
Make sure your organization is making headlines for positive reasons and never for data-breach scenarios. When designing Cisco HyperFlex we've taken a holistic approach that uses industry standard strong encryption at the component, system and cluster levels -built-in since day one.
Get additional information about
Cisco HyperFlex
Watch the Demo Video: Enabling HyperFlex Native Software Encryption
Read the White Paper: HyperFlex Encryption