by Tim Reilly
Advancing Our Partnership with VMware
A recent CNCF study found that 78% of respondents were using Kubernetes within their organizations, making the case that Kubernetes adoption is not only increasing, but on its way to “taking over the world.”
The rapid adoption is certainly justified. Kubernetes is an incredible tool for container orchestration and management. However, it does not address one of the most critical components of holistic security strategies – data protection.
IT leaders are finding that integrating security into new technologies being used within DevOps – like Kubernetes – is not keeping pace with continuous software development. Traditional approaches to security and manual controls are often perceived as an impediment to speed, so many organizations push forward without the appropriate levels of security or data protection in place to get to market faster and drive innovation.
To help organizations strike the balance of incorporating adequate security without slowing down innovation, we offer container encryption products that secure data in containerized environments. To that end, we are excited that our Zettaset XCrypt Kubernetes Encryption solution is available on VMware Marketplace: https://marketplace.cloud.vmware.com/services/details/xcrypt-for-tkg?slug=true.
XCrypt Kubernetes Encryption offers high-performance and transparent data-at-rest encryption for containers, empowering VMware customers to extend their data protection programs to cover data used by advanced technologies like Kubernetes.
Here are a few of the highlights that VMware customers can expect when implementing Zettaset’s XCrypt Kubernetes Encryption:
- Direct integration into Kubernetes’ storage layer
XCrypt integrates directly with Kubernetes Container Storage Interface (CSI) and provides its own storage class making it transparent and simple to use.
- Negligible impact on performance
Xcrypt is designed to minimize the performance impact of encryption on the overall application performance. The observed performance impact is between 2% and 7%.
- Centralize management and monitoring
XCrypt consolidates the cryptographic activity across your entire Kubernetes infrastructure allowing for data management, monitoring and policy enforcement from a centralized console.
- XCrypt Provisioner for vSphere vSan automatically manages vSan storage via native APIs
By integrating with vSphere vSan via native API, XCrypt automatically provisions vSan volumes with encryption as needed to fulfill container storage allocation requests. This eliminates the need for cluster administrators to manage container storage and does not require developers to be involved in data security decisions.
- Container storage separation
Each container is allocated its own dedicated storage volume. Unlike SEDs and infrastructure-provided storage, where single storage volumes are shared among many containers, XCrypt offers dedicated encrypted storage volumes for each container. This level of encryption granularity is critical in multi-tenant environments. For added security, container volumes are only available and mounted when in use.
- Unique encryption key for each container volume
Each persistent volume is encrypted using unique encryption keys. This enables highly granular and secure multi-tenant environments. With this approach, each tenant has access only to their data and also prevents unauthorized access to the data by other tenants.
- Automated encryption key and policy management
XCrypt manages the complete lifecycle of encryption keys associated with the container volumes – from creation and activation, to use and, if required, revocation. Users and administrators don’t need to keep track of key-to-volume association.
- Secure erase of persistent volumes
In the event of a persistent volume is compromised, the volume can be easily decommissioned by revoking the encryption key assigned to the volume. This can be performed by an admin remotely by issuing a simple command. There is no need for the manual and time-consuming data erase process.
- Secure decommissioning of Kubernetes worker nodes
In the event of a compromised worker node, the entire worker node can be removed quickly from the cluster by revoking the certificate issued to the node thereby preventing the node from getting encryption keys from the key server. This is accomplished by issuing a simple command remotely and has no effect on other worker nodes.
- All encryption services run natively in Kubernetes
All XCrypt product components: Host Manager, CSI Driver, Key Manager, License Manager, and Certificate Authority run as native Kubernetes microservices in the customer’s cluster.
We’re excited to continue to further our partnership with VMware and provide customers with next-generation data protection solutions to enhance and safeguard their organizations.
Interested in scheduling a demo to learn more about what we can provide? Get in touch with our sales team to learn more: https://www.zettaset.com/products/request-a-demo/