Blog

The Benefits of Using an External Key Manager (EKM) for Hyperconvergence

The Benefits of Using an External Key Manager (EKM) for Hyperconvergence
Userlevel 7
Badge +35
This post was authored by Jill Cygnarowicz, Gemalto

When it comes to datacenter technology, and how enterprises of all sizes are storing and managing their data, one of the latest changes that is happening all across the IT industry is the shift towards hyperconvergence — or hyper converged infrastructure (HCI). The solution has gained popularity due to its simplicity, scalability, and cost savings that it offers most businesses over traditional data center set-ups.

Hyper-convergence is a way to enable IT scalability in cloud environments without compromising on the performance, reliability, and availability a business would expect from using their own data center. Essentially, a hyper converged infrastructure combines storage, compute, networking, and a hypervisor or virtual machine into a single solution, which enables a company to have a fully functional datacenter.

The leading Hyperconverged (HCI) platform, Nutanix Enterprise Cloud, eliminates storage silos, expensive virtualization technology, and dedicated management. It also supports simplified and consolidated management with Cloud-like agility and flexibility. Simultaneously, the current number of data breaches and regulatory demands place increasing pressure on organizations to protect data from exposure. Thus, when looking at IT infrastructure and how data-at-rest is stored in a hyperconverged solution such as Nutanix Enterprise Cloud, consideration of the benefits of a robust encryption and external key management solution is necessary for protecting the data.

To help organizations meet this challenge, Nutanix has partnered with Gemalto to bring them the benefits of an external key management solution. Gemalto’s SafeNet KeySecure is an encryption and key management appliance that centralizes the control of an enterprise’s disparate encryption solutions, and provides additional benefits for data iprotection.

SafeNet KeySecure External Key Management System for HCI

There are many added benefits and functionalities of HCI solutions leveraging key management for managing data-at-rest encryption delivering:
  1. Appropriate data controls
  2. Centralized Key Management
  3. Data and key lifecycle management
  4. Audit and compliance tools

Appropriate Data Controls

One of the primary reasons and benefits of using an external key manager is its ability to help companies streamline their audit reporting. As part of corporate and industry compliance requirements, an external key manager will provide signed, validated log information on key management as well as key consumption – who accessed the key, the event time, and the success or failure of the operation.

In addition, mechanisms such as SNMP Traps can alert staff if any issues arise with the key management appliance or other appliances communicating with the key manager. External key managers have the ability to define permissions for the key administrators, as well as the key consumers. A common example would be the ability to allow a key administrator to create a key for encrypt/decrypt purposes, but deny the administrator the ability to use that key by utilizing LDAP or AD user attributes.

Major compliance frameworks such as HIPAA, GDPR, PCI-DSS and others may require this separation of duties to deliver appropriate data access.

Centralized Key Management

SafeNet KeySecure provides customers with complete control by securing the keys needed to access the storage system, and improves compliance and auditability by centralizing and simplifying key management (e.g., escrow, recovery) for various storage platforms and KMIP-compatible encryption solutions. By utilizing SafeNet KeySecure, organizations benefit from its flexible options for secure and centralized key management – deployed in physical, virtualized infrastructure, and public cloud environments.

SafeNet Virtual KeySecure is a hardened virtual security appliance that provides organizations with a more operational—and expense friendly alternative to using a hardware appliance for secure key management and meeting security and compliance needs. By using a virtual key manager instead of a hardware appliance, organizations can scale key management at remote facilities or in cloud infrastructures such as Nutanix, and eliminate the cost for additional rack space. SafeNet Virtual KeySecure allows organizations to utilize a secure virtual appliance to manage keys, as well as data encryption, and enforce access control across cloud infrastructures.

It also ensures that organizations maintain ownership of their encryption keys by hardening the appliance OS and encrypting the entire virtual appliance for enhanced key security and protection against snapshot Attacks.

Data and Key Lifecycle Management

Encryption key management should incorporate some level of centralized policy and control. It’s not as simple as creating the key, encrypting the data and forgetting about it. Being able to perform actions on keys such as:
  • Key generation
  • Key retirement
  • Determining the activation or de-activation of the key
  • Key rotation to ensure the key content is updated periodically or as needed
  • Destruction (when required)
All of the above functions should be part of a company’s key lifecycle management strategy.

Audit and Compliance Requirements

For those companies that are mandated to support items such as FIPS 140-2 compliance (to stop use of encryption algorithms deemed unsafe and tamper proofing of appliances), key management should allow an organization to implement best practices for proper algorithm usage for FIPS compliance.

For those that require more than just the disabling of unsafe encryption key algorithms, Level 2 (storing keys in tamper proof evident hardware) or Level 3 (tamper resistant key storage) external key managers can help provide an increased level of security. In addition, external key managers can also integrate with hardware security modules (HSMs) to help achieve higher FIPS certification.


Together, Nutanix and Gemalto enable a FIPS-validated Data-at-Rest encryption solution using the SafeNet enterprise key manager combined with hardware or software-based encryption. SafeNet KeySecure integrates via the Key Management Interoperability Protocol (KMIP) to store encryption keys safely away from the data

Nutanix and Gemalto have partnered together to provide a solution for their customers that enables them to leverage all of the benefits that operating in a hyperconverged infrastructure has to offer, with the peace of mind that their stored data is secure. For further information, please see our integration solution brief, or the Gemalto or Nutanix partner web pages.

©️ 2018 Nutanix, Inc. All rights reserved. Nutanix, the Enterprise Cloud Platform, the Nutanix logo and the other Nutanix products, features, and/or programs mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand and product names mentioned herein are for identification purposes only and are the property of their respective holder(s), and Nutanix may not be associated with, or sponsored or endorsed by such holder(s). This document is provided for informational purposes only and is presented ‘as is’ with no warranties of any kind, whether implied, statutory or otherwise.

The views expressed in this blog are those of the author and not those of Nutanix, Inc. or any of its other employees or affiliates. This blog may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such site.

0 replies

Be the first to reply!

Reply