Succeed in a hybrid world – without losing control of your data

Most of us who work in IT generally feel pretty good about the physical and logical security of our data and systems when it resides on-premises.  If you can see and touch the systems, it gives you an added sense of security – especially when you have keycards, biometrics or sometimes just a lock on the door. Augmenting this on premises is easy enough, most times with built in tools like BitLocker or certificate services for a variety of solutions that you can employ to data wherever it lies.

But then we add in a Hybrid connection – to someplace else where you don’t have physical access to the host systems, only remote access to your Guest VMs?  Public Clouds like Azure need some extra assistance if you want the warm-and-fuzzy feeling of your VHDs encrypted while at rest. Now what do you do in order to get the warm fuzzy feelings of keeping control of your data?

Full Volume Encryption with Bitlocker requires a TPM or physical access to the system while booting. At TechEd Europe, my friend Bryon Surace had a session talking about a new partner that was onboarded for the Azure called CloudLink.  They make a two part solution that allows you to centrally manage encryption keys used for boot time decryption on Windows and Linux images as well as data volumes you attach to your machines.

It’s really quite cool – and simple.  Once you have established an relationship with CloudLink, you download their “Cloudlink Center” virtual appliance (a pre-configured VHD), deploy it to an Azure VM (create new VM from image) and login to the Management portal. You then install an agent on Windows based servers that interfaces between Bitlocker and their CloudLink server.  Once the machine boots – it shows up in the management console and you authorize it for operation. Apparently, this can also be integrated into native Linux data encryption mechanisms as well.

Check out their quick demo video on how this logically works – a video is worth a couple thousand words. 😉

Note: it also works with your Hoster c0-location options as well as in your on-premises Hyper-V and VMware private clouds as well.

Very cool solution.  I know a number of customers I’ve spoken to that could use this to bolster their comfort and security levels – potentially unblocking their plans to integrate Azure and Public Cloud into their environments.

About author View all posts


1 CommentLeave a comment

Warning: sizeof(): Parameter must be an array or an object that implements Countable in D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\project-nami-blob-cache.php on line 416

Fatal error: Uncaught WindowsAzure\Common\ServiceException: Fail: Code: 400 Value: The account being accessed does not support http. details (if any): <?xml version="1.0" encoding="utf-8"?><Error><Code>AccountRequiresHttps</Code><Message>The account being accessed does not support http. RequestId:f344dfa2-d01e-00b0-0f8f-f531cf000000 Time:2021-01-28T16:06:29.6003223Z</Message><AccountName>ritgcache</AccountName></Error>. in D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\library\WindowsAzure\Common\Internal\Http\HttpClient.php:382 Stack trace: #0 D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\library\WindowsAzure\Common\Internal\Http\HttpClient.php(275): WindowsAzure\Common\Internal\Http\HttpClient::throwIfError(400, 'The account bei...', '\xEF\xBB\xBF<?xml versio...', Array) #1 D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\library\WindowsAzure\Common\Internal\RestProxy.php(141): WindowsAzure\Common\Internal\Http\HttpClient->send(Array, Object(WindowsAzure\Common\Internal\ in D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\library\WindowsAzure\Common\Internal\Http\HttpClient.php on line 382