Achieving Data Sovereignty in a Multi-Tenant Service Provider Environment

By Boskey Savla, VMware and Heberto Ferrer, HyTrust

Customers wanting to adopt public cloud are ever more concerned about security and control over data and applications hosted in public clouds and across hybrid clouds. New regulations have explicit data sovereignty requirements which bring a challenge and also an opportunity for service providers.

The first step in the journey of data sovereignty is encryption of data at rest. Service Providers looking to offer such service to customers need technologies that align to multitenancy requirements and are easily integrated via REST APIs.

VMware vCloud Director(vCD) for Service Providers is a platform that provides a multi-tenant environment based on existing infrastructure. vCloud Director gives customers the ability to consume a public cloud and manage their compute, storage and networking needs in a self-service fashion. vCloud Director creates unique virtual datacenters called Organization Virtual Data Centers (“Org vDCs”) that define the capacity and resources a customer has access to in their cloud.

Providing workload encryption in a vCloud Director environment can easily be done leveraging HyTrust DataControl. HyTrust DataControl provides powerful key management and data-at-rest encryption for workloads in private and public clouds.

HyTrust DataControl implements Cloud VM Sets, which align directly to vCloud Director’s Org vDCs. VMs must be registered to a Cloud VM Set in order to encrypt data volumes.

One cluster of HyTrust KeyControl virtual appliances (the key management component of HyTrust DataControl) can be used for all tenants. Tenants logging into the HyTrust DataControl web UI will only be able to access and manage Cloud VM Sets that are part of their Cloud Admin Group. More importantly, HyTrust DataControl policy engine prevents delivery of keys across Cloud VM sets, i.e. keys belonging to Cloud VM Set will only be delivered to workloads from the same Cloud VM Set.

Virtual machine (VM) templates that have HyTrust agent pre-installed can easily be created and managed via vCloud Director’s Catalogs. As customers start provisioning VMs via the vCloud Director catalog, VMs register with HyTrust DataControl. Encryption can then be managed via HyTrust DataControl and customers can start applying encryption policies to these virtual machines while the virtual machine is active.

During initial encryption of data volumes, or re-encryption with a new key, customers can take advantage of HyTrust DataControl online rekeying, which applies encryption in the background, without affecting access to the data, keeping production services up while encryption is in progress.

When encrypted VMs must be disposed, encryption keys may be “shredded” within HyTrust DataControl, effectively destroying the data within the VM.

For more information check out this YouTube Video or contact your VMware representative.

If you’re ready to find a service provider, visit us at Remember to subscribe to the VMware Cloud Provider Blog, follow @vmwarecloudprvd on Twitter or ‘like’ us on Facebook for future updates.