Background

Host Guardian Services

Every Virtualisation platform, (whether VMware, Hyper-V Xen or KVM) is susceptible to Virtual Machines (VMs) being attacked or seized.

Protect your Virtual Machines from being compromised by utilising Windows 2016 Admin-trusted or TPM –Trusted attestation with Bitlocker encryption. The VM is to only run on designated authorised infrastructure and protected from compromised administrators.

Hyper-V VM disks and state are encrypted so only VM or tenant administrators can access them.

Guarded fabrics utilise Virtualisation-based Security technology to isolate kernel and applications and prevent external attacks.

Is it right for me?

With Virtual Machines being more commonplace today, it is easier to live migrate, backup and replicate these workloads, but this also means that it is easier to seize or modify entire workloads by copying onto a USB or Network drive.

In order to prevent compromised admin accounts, storage or network attacks, local admins gaining access or unauthorised Hosts running workloads you need more than VM encryption; alone, it is not sufficient to protect against these scenarios.

Host Guardian Services (HGS) prevents anyone but authorised VM administrators from accessing data (including restricting VM console access to just authorised sessions), attesting legitimacy of Hyper-V host with certificate of health issued to the host required to start and run VM’s. This prevents scenarios where a VM can be copied off, allowing the attacker to compromise confidential data.

Virtual machines (VMs) shielded on Hyper-V hosts, with encrypted VM files to prevent running in an un-authorised system

Why choose The Bunker?

The Bunker have wide experience in deployments of HGS with Hyper-V and can help plan and deploy a platform to run HGS and Shielded VM’s for you to satisfy your security needs and to give you peace of mind that your data is safe, even at rest.

The Bunker can host and run your environment and you can decide who can have administrative access to the VM.

This additional layer of security allows you to run your Private Cloud environments to host your workloads using the latest Microsoft technology, providing you and your customers with the upmost confidence in the confidentiality of your data.

How we helped Redline

How Host Guardian Services work

Guarded Fabric uses 4 components to ensure Hyper-V hosts are healthy. Multiple components including hardware security features are used to measure the code and state from the moment the machine is powered on:-

Code Integrity uses Virtualization-based Security to ensure that only allowed binaries can be run on the system from the moment the machine is started.

Virtualization-based Security (VBS) uses hardware security technology to create an area that is isolated from kernel and applications preventing external attacks.

The Trusted Platform Module (TPM) is an international standard for a secure crypto-processor. Windows Server 2016 Hyper-V enables a virtual TPM device for VMs so that they can take advantage of features such as BitLocker. The virtual TPM does not require a physical TPM to be present.

Host Guardian Service is used to implement a Guarded fabric by providing health attestation for the Hyper-V hosts and key protection for the key material that is required to run Shielded VMs.

Our Accreditations

  • ISO 27001
  • First
  • G-Cloud Accredited
  • ITIL Service Management
  • Microsoft Gold Partner
  • NHS IGSoC Approved
  • PCI DSS
  • PRINCE2
  • RIPE NCC Member
  • Tech UK
  • Veeam Gold Cloud & Service Provider Partner
  • PCI Participating organization
  • Dell EMC Gold Partner
  • Cyber Essentials Plus
  • AWS Select Consulting Partner