By Tim Bramble | January 08, 2015
After months of development and behind-the-scenes preparation, Microsoft has announced its Azure Key Vault. We were proud to be invited by Microsoft to participate in early development and integration of our CloudLink data security product with Azure Key Vault. You can read the formal announcement here. In this post, let me highlight a few important aspects of the news.
We, at CloudLink, have a mission to integrate services provided by operating systems, virtualization platforms and cloud providers with security solutions that are more than the sum of their parts. We do this by orchestrating key management and policy-based security control in ways that are easy to deploy and use by enterprise IT across the hybrid cloud.
Frequently, our customers tell us that they don’t want cloud providers to have complete control over encryption keys because of the data access this allows. However, customers do want to leverage the security, convenience and reliability of cloud-based key management. Given our customers’ concerns, we looked at how CloudLink could help them take advantage of the benefits of the hybrid cloud while leveraging the reliability and security of a cloud provider-hosted keystore.
As with many fruitful endeavors, the secret to success is finding optimal balance. For the hybrid cloud, the challenge is balancing the convenience of relying on a cloud provider for key management and the confidence of being the master of your own keys. With our CloudLink SecureVM solution, the cloud provider is responsible for key generation and storage. The customer controls the policy regulating key access and use. The following diagram illustrates how CloudLink SecureVM works with Microsoft Azure Key Vault.
A key point is that VMs secured by CloudLink SecureVM do not talk to Microsoft Azure Key Vault directly, but rather to CloudLink Center, the solution’s security policy and key management virtual appliance. CloudLink Center can be deployed anywhere in the hybrid cloud. When deployed in the private cloud, only the VM owner (the customer) has full control of CloudLink Center’s operation. In other words, both the customer and the provider have access to Microsoft Azure Key Vault, but only the customer has access to CloudLink Center and is, therefore, the only one with access to the VMs’ sensitive data.
The value of Microsoft Azure Key Vault is in its reliability, availability and features such as hardware-backed key generation and storage, not to mention its rich API. In this solution, the value of CloudLink lies in the degree of security control it gives customers while maintaining the automation and ease-of–use associated with the cloud.
But there’s more. Some of our customers place a high priority on hedging their bets, hesitating to use a single cloud environment exclusively. In particular, large enterprise customers–often with thousands of VMs running in the cloud and requiring security–want the same solution to work in at least two clouds (let’s say Microsoft Azure and Amazon Web Services, IBM SoftLayer, VMware vCloud Air or Google Cloud Compute).
Even if a customer makes Azure its primary cloud provider with Microsoft Azure Key Vault as its key store, this does not necessarily mean that all VMs will run exclusively in Azure. Typically, many operational and business considerations require the use of alternative cloud providers. CloudLink enables such use cases with ease. Just register VMs running CloudLink SecureVM, no matter where they are deployed, to a CloudLink Center connected to Azure Key Vault!
There you have it: a hybrid multi-cloud security solution that benefits from the convenience and security of cloud-based key generation and management, offered by Microsoft Azure Key Vault, while affording you exclusive control of, and access to, your sensitive VMs and their data.
If you’d like to give this a try, let us know and we’ll provide you with a preview version of CloudLink SecureVM which supports Microsoft Azure Key Vault.