Data sovereignty isn’t easy in a public cloud world. There are four major public cloud providers: Amazon, Microsoft, Google and IBM, and they are all beholden to the laws of the United States of America. The U.S. government isn’t exactly big on privacy for its own citizens, and apparently has zero regard for the privacy of non-U.S. citizens. So where does that leave the other 7 billion of us?
One option is to check and see if your preferred public cloud provider has a datacenter option in which the operation of that datacenter is handled by a local data trustee. These special datacenters, of which Microsoft’s Azure Germany is the canonical example, are not directly operated by the public cloud provider.
Separation of Powers
Strict firewalls exist on which operations can be performed by the vendor whose nameplate is on the datacenter and provides the underlying technology, and what operations are performed by the data trustee. The short version is that with these legally isolated datacenters, a judge in the U.S. can order the public cloud provider to hand over data all they want; the agreement between the public cloud provider and the local data trustee makes it impossible for the public cloud provider to comply, even if it wanted to.
With legally isolated datacenters, the public cloud provider simply doesn’t have the right to access that data, forcing nationalist judges to rely on proper international legal channels. In the case of a legally isolated datacenter located in Germany, the end result is that the customer putting their workloads in that datacenter ends up with more rights and freedoms to defend themselves with.
Of course, legally isolated datacenters that use the technology of a major public cloud provider are exceptionally rare. The overwhelming majority of the “regions” provided by public cloud providers in countries around the world are operated directly by the public cloud provider and thus they — and any customers using those datacenters – answer to U.S. law. This is a problem if you’re a non-American individual or organization, given their disregard for our rights.
Systems administrators don’t always win arguments with suits on this topic. There’s always the pointy-haired boss who reads something in an airplane magazine, or gets bamboozled by a fancy lunch at a conference. Fortunately, for those of us who get told to “make it happen,” there are options.
VMware Cloud on AWS
Those of us using the latest versions of VMware’s offerings will probably have noticed that virtual disk encryption has been included. This is a long-awaited feature, and it certainly helps make things more secure in our datacenters.
Where the public cloud enters this discussion is with the emerging VMware Cloud on AWS. Described by some as “just vSphere with VSAN running on AWS,” VMware Cloud on AWS is the quick and dirty way for VMware administrators to take all their skills and knowledge to the public cloud without actually needing to learn how to bend the public cloud to their will.
Fortunately, this includes virtual disk encryption. As with all such encryption solutions, running workloads are vulnerable to someone snapshotting the RAM to extract the encryption keys, but there isn’t much anyone can do to avoid that. With VMware Cloud on AWS, at least the customer controls the encryption keys without having to rely on a public cloud provider that is vulnerable to U.S. legal shenanigans.
Vormetric also has some products worthy of note. At the core is Vormetric Data Security Manager, which is essentially a key manager. It has a REST-based API and robust user and privilege controls. Perfect for even the most convoluted of next-gen hybrid cloud DevOps environments.
Vormetric Transparent Encryption offers an operating system agent that runs on top of the file system. This provides encryption for regular files, but also structured storage such as databases. It will run on a host of operating systems, supports the major databases as well as NoSQL and other next-gen startup storage solutions.
Vormetric has a host of other products, ranging from encrypting Docker containers to solutions that allow developers to incorporate column-level encryption into applications they’re designing. They have a robust log system that integrates with the major SIEM systems, and even offer Key-Management-as-a-Service (KMaaS) for those who don’t want to stand up their own KMS. Vormetric’s KMaaS plugs into Saleforce Shield and is expanding to integrate directly with other SaaS solutions.
I’ve never used Vormetric’s offerings personally, but during recent research into how to secure cloud workloads of various types, it was the one solution that was consistently discussed and frequently recommended by those I’ve talked to. The Vormetric KMS offerings seal the deal for practitioners. On-premises workloads, cloud workloads and, one at a time, SaaS workloads can all be secured while only having to monkey with a single KMS. I can see the appeal.
There are plenty of other offering out there by other vendors. VMware and Vormetric are only two examples. The technology to secure our workloads and defend the rights of our organizations and our customers is out there. There’s no excuse not to be using it.
Trevor Pott is a full-time nerd from Edmonton, Alberta, Canada. He splits his time between systems administration, technology writing, and consulting. As a consultant he helps Silicon Valley startups better understand systems administrators and how to sell to them