Avatar

This blog series focuses on different aspects of Cisco HyperFlex.  In today’s blog we’ll go over the main types of encryption we implement, what they are and why they’re vital to an organization’s data encryption strategy. Most organizations today understand the table-stakes nature of data encryption that protects sensitive information, even in the event of a data leak. And we’ve all winced at the headlines when data breaches do occur and result in reputational, if not real damage to companies and organizations.

Cisco HyperFlex offers a range of encryption options

There are a number of encryption capabilities protecting HyperFlex clusters that have been developed with stringent hardware and software guidelines in place.  These include Self Encrypting Drives (SEDs) and Cisco HyperFlex Software Based Encryption (SWE), which is a native feature of the HyperFlex Data Platform.  Both type are data-at-rest (DARE) implementations.  Additionally, Cisco has also qualified various Key Management solutions using VM-level encryption from 3rd party partners like Gemalto and Vormetric (both parts of Entrust as of this writing).  These various key managers are only for SED based systems since Cisco’s software encryption solutions use the Intersight integrated key manager.

There is strong encryption within and between the HX clusters

Encryption on a Hyper-converged system like Cisco HyperFlex uses data-at-rest encryption whether it is using SEDs or via HyperFlex native software encryption (SWE).  These systems are storage devices with all relevant services rolled into the appliance (compute, memory, networking).  Encrypted communication between HyperFlex clusters, for example with backup or replication, is the purview of the intervening network devices and solved using IPSEC, VPN or similar technologies.

HyperFlex has built in encryption from day one

HyperFlex Data Platform Software Encryption uses industry standard strong encryption algorithms and is compliant with US Federal certification requirements.  It also takes advantage of Cisco HyperFlex’s unique features and cloud technologies.  A distinguishing feature of HyperFlex SWE is its ability to work with HyperFlex storage optimizations that have been available from day one.  Using post-process encryption like transparent clients on guest VMs or application-level encryption cannot afford the advantages that HyperFlex SWE offers in this regard since they take place once data is written to disk.  Inline encryption in the write IO path offers all the HXDP storage optimizations that are otherwise present in unencrypted, or SED based deployments.

Encryption is not a catch-all – due diligence is still needed

While encryption is extremely important for an overall excellent security posture, it is not a catch-all.  Encryption does not protect against direct breaches of the HyperFlex Controller VMs or exploits that occur upstream of the storage stack, for example, in the hypervisor, guest VMs, or VM based applications.  Protection of these software assets are a normal part of regular due diligence and are mitigated by timely patching and hardening of these components.

Make sure your organization is making headlines for positive reasons and never for data-breach scenarios.  When designing Cisco HyperFlex we’ve taken a holistic approach that uses industry standard strong encryption at the component, system and cluster levels – built-in since day one.

Get additional information about

Cisco HyperFlex

 


Resources

Watch the Demo Video: Enabling HyperFlex Native Software Encryption

Read the White Paper:  HyperFlex Encryption



Authors

Aaron Kapacinskas

Technical Leader

HyperFlex