Encryption solutions for the cloud Part 4: Vormetric

Linda Musthaler
By | July 02, 2012

Posted in: Network Security Trends

This is the fourth in a series of posts on cloud encryption solutions.

Vormetric offers centrally managed encryption, key management and access control for data at rest across distributed heterogeneous environments. Vormetric Encryption supports all of the major platforms – Linux, UNIX and Windows – and can be used in physical, virtual and cloud environments.

Vormetric Data Security consists of two major components: the Vormetric Data Security Manager and the Vormetric Encryption Expert Agents.

The Data Security Manager is a FIPS 140-2 certified hardware appliance that most customers install in their data center. Cloud and SaaS providers have installed it in their data center so that end customers can get encryption as part of their service offering. This device functions as the central point for creating, distributing and managing data encryption keys, policies, and host data security configurations. It also collects event logs pertaining to encryption key creation, requests and use.

The Encryption Expert Agents are software agents that sit on client servers at the OS level and perform the encryption, decryption and access control tasks locally on the system that is accessing the data at rest. Agents apply the policies established at the Data Security Manager console that control, for example, who can retrieve an encryption key, and under what circumstances.

This two-tier architecture allows encryption to be distributed within the data center and out to remote sites – including “big data” environments with hundreds or thousands of servers – while still being centrally managed. This approach also allows security teams to enforce separation of duties by requiring the assignment of key and policy management to more than one data security administrator so that no one person has complete control over security of the organization’s data.

Vormetric Encryption works at the file or folder level rather than following the common practice of encrypting the entire mounted volume. This allows for separation of duties among IT administrators and the data owners. By encrypting data files while leaving their metadata in the clear, Vormetric’s system allows IT administrators to perform their jobs (e.g., backups, data replication, etc.) without having direct access to the actual data.

In May, Vormetric became the first vendor to announce support for Intel Advanced Encryption Standard New Instructions (AES-NI) on-chip technology for faster execution of compute intensive encryption/decryption operations. Benchmarks of this technology show there’s less than 2% performance overhead on encryption processes.

Another key feature offering from Vormetric is encryption key management for database transparent data encryption. Specifically, Vormetric implements key management in a network hardware security module (HSM), securing keys for Oracle Transparent Data Encryption and Microsoft SQL Server Transparent Data Encryption (TDE). This separates encryption keys from the encrypted data in Oracle and SQL Server databases to improve security.

Next: Vaultive

You May Also Be Interested In: