Fortanix Data Security Manager for VMware Sovereign Cloud

The joint VMware and Fortanix solution offer scalable data protection and compliance for VMware Sovereign cloud environments.

Market need

VMWare Sovereign clouds offer continuous protection and secure accessibility controls to enable new values and opportunities data protection. Protect and control confidential or restricted data with the data residency and data sovereignty that a sovereign cloud provides, ensuring compliance with changing data privacy laws using a trusted cloud that supports a nation’s digital economy. Virtual environments running VMware can readily leverage vSphere VM Encryption or vSAN encryption to protect VMs and data-at-rest. However, enterprise key management that is both secure and adaptable to a dynamic software-defined infrastructure remains a challenge. Traditional HSMs require proprietary hardware and are inflexible for a software-defined data center. Software-only key managers on the other hand do not offer the protection of HSMs.

Solution Overview

The joint VMware and Fortanix solution offer scalable data protection and compliance for VMware Sovereign cloud environments. Fortanix Data Security Manager (DSM), is a unified HSM and Key Management solution that easily integrates via KMIP for VMware vSAN and vSphere VM encryption, enabling sovereign cloud customers to bring and manage their own keys. Fortanix DSM makes it possible for VMware Sovereign cloud providers to deliver Data Protection and compliance to the end customers (tenants). Secured with Intel® SGX, Fortanix DSM delivers HSM security with software defined simplicity, and a cloud scale architecture.

Fortanix DSM with built-in multi-tenancy, when integrated together with VMware Sovereign cloud, enables service provider partners the ability to offer Bring Your Own Key (BYOK) for VM encryption and vSAN Encryption, FIPS 140-2 Level 3 HSM protection, key management, tokenization, and secrets management through a single platform, hosted within the VMware Sovereign Cloud boundary.

Joint Use Cases

Bring your own key for VM and vSAN encryption
Fortanix Data security provides VMware users an option to bring their own keys to encrypt VMs/vSAN and other encryption use cases

Complete Key lifecycle Management
Fortanix delivers full key lifecycle management as a service to ensure secure and consistent key management across on-premises and multicloud environments, including bring your own key (BYOK) and bring your own key management service (BYOKMS).

FIPS 140-2 Level 3 HSM backed platform
Customers store the keys in the Fortanix FIPS 140-2 Level 3 certified HSM and cryptographic operations are executed securely within the hardware.

Tokenizing Sensitive Data
Combination of Format Preserving Tokenization (FPE) and role-based access control (RBAC) for application running on VMware Sovereign, helps in protecting sensitive data. With Fortanix, relevant users can get authenticated through RBAC, query the data, and tokenize data on the fly.

Database Encryption
Fortanix integrates with native database encryption to manage and store the cryptographic keys required to encrypt all your databases including Oracle, SQL Server, MongoDB, PostGres, MySQL, Maria DB, IBM DB2 and more on VMware Sovereign cloud.

Secrets Management
Fortanix offers a secure secrets management solution that can manage secrets natively in the cloud and on-premises, providing extensive RESTful APIs through open standards such as OAuth, OpenID (SAML), LDAP, JWT, and PKI.

VMware-Diagram2

Deployment – VMware Sovereign cloud Boundary

The VMware Cloud Provider partners can host Fortanix Data Security Manager out of the HSM appliances running in their data centers within the VMware Sovereign cloud boundary. Each VMware Sovereign cloud customer will have a dedicated vCentre where they can configure Fortanix Data Security Manager as an external key manager. The customer will have full control of the keys and the VMware Cloud Provider partner will have zero access/visibility to the keys. The keys never leave the sovereign cloud boundary.