Every Virtualisation platform, (whether VMware, Hyper-V Xen or KVM) is susceptible to Virtual Machines (VMs) being attacked or seized.
Protect your Virtual Machines from being compromised by utilising Windows 2016 Admin-trusted or TPM –Trusted attestation with Bitlocker encryption. The VM is to only run on designated authorised infrastructure and protected from compromised administrators.
Hyper-V VM disks and state are encrypted so only VM or tenant administrators can access them.
Guarded fabrics utilise Virtualisation-based Security technology to isolate kernel and applications and prevent external attacks.
With Virtual Machines being more commonplace today, it is easier to live migrate, backup and replicate these workloads, but this also means that it is easier to seize or modify entire workloads by copying onto a USB or Network drive.
In order to prevent compromised admin accounts, storage or network attacks, local admins gaining access or unauthorised Hosts running workloads you need more than VM encryption; alone, it is not sufficient to protect against these scenarios.
Host Guardian Services (HGS) prevents anyone but authorised VM administrators from accessing data (including restricting VM console access to just authorised sessions), attesting legitimacy of Hyper-V host with certificate of health issued to the host required to start and run VM’s. This prevents scenarios where a VM can be copied off, allowing the attacker to compromise confidential data.
A shielded Virtual Machine protects against inspection, theft, and tampering from both malware and data centre administrators
Add a security layer to running your Virtual Machines on Hyper-V hosts by utilising VM Encryption
Segregation of Virtual Machine administrative roles
Virtual machines (VMs) shielded on Hyper-V hosts, with encrypted VM files to prevent running in an un-authorised system
The Bunker have wide experience in deployments of HGS with Hyper-V and can help plan and deploy a platform to run HGS and Shielded VM’s for you to satisfy your security needs and to give you peace of mind that your data is safe, even at rest.
The Bunker can host and run your environment and you can decide who can have administrative access to the VM.
This additional layer of security allows you to run your Private Cloud environments to host your workloads using the latest Microsoft technology, providing you and your customers with the upmost confidence in the confidentiality of your data.
Guarded Fabric uses 4 components to ensure Hyper-V hosts are healthy. Multiple components including hardware security features are used to measure the code and state from the moment the machine is powered on:-
Code Integrity uses Virtualization-based Security to ensure that only allowed binaries can be run on the system from the moment the machine is started.
Virtualization-based Security (VBS) uses hardware security technology to create an area that is isolated from kernel and applications preventing external attacks.
The Trusted Platform Module (TPM) is an international standard for a secure crypto-processor. Windows Server 2016 Hyper-V enables a virtual TPM device for VMs so that they can take advantage of features such as BitLocker. The virtual TPM does not require a physical TPM to be present.
Host Guardian Service is used to implement a Guarded fabric by providing health attestation for the Hyper-V hosts and key protection for the key material that is required to run Shielded VMs.