Thales Blog

Enhancing Data Sovereignty: VMware Sovereign Cloud and Thales Join Forces

November 9, 2023

Emmanuel Bout Emmanuel Bout | Business Development Manager Cloud Security, Thales More About This Author >

In a globalized world where data flows seamlessly across physical borders and is increasingly stored on public clouds, yet is still subject to local country laws, the ability to offer digital sovereignty solutions has become increasingly important for Cloud Service Providers. All data remains subject to the laws and regulations of its home country, regardless of where it resides. Additionally, in highly regulated sectors such as finance or healthcare or state and local government entities, organizations need to meet additional compliance laws and mandates. Given these complexities, Cloud Service Providers are entrusted with a critical responsibility – ensuring that each customer’s data remains protected, compliant, and under the customer’s control. To meet this need, Thales and VMware are joining forces in a strategic partnership to offer customers the ability to retain control of their encryption keys and data.

The Challenge of Sovereign Key Management

According to an IDC report entitled “Implementing Digital Sovereignty in the Journey to Cloud”, 32% of companies use global Public Cloud Providers to store confidential data. This creates challenges related to managing sensitive data and keeping it secure.

While Public Cloud Providers utilizing VMware in virtual environments can leverage vSphere VM Encryption or vSAN encryption to safeguard Virtual Machines and data at rest, the challenge lies in establishing key management that is both secure and adaptable to the evolving landscape of software-defined businesses. In any zero-trust environment, an organization needs to provide undisputable authority over its most sensitive data assets, including the ability to prove ownership and governance. For this reason, retaining control and management of encryption keys is paramount.

When it comes to encryption keys, security best practice is to ensure separation between encrypted data-at-rest and the keys. For those hosting sensitive data or looking to migrate workloads to the cloud, they require enhanced control and ownership over their encryption keys to meet data sovereignty requirements, as well as internal and external compliance mandates.

Thales provides a comprehensive portfolio of data security solutions that integrate with VMware and provide encryption key visibility, lifecycle management, and ensure keys are separate from where sensitive data is being hosted.

Integrating VMware Cloud Director Ecosystem Platform with Thales CipherTrust Manager to Empower Digital Sovereignty

To meet customer data sovereignty needs, Thales has proudly joined the VMware Sovereign Cloud ecosystem to enable customers to retain control over their encryption keys and data.

Thales CipherTrust Manager enables organizations to centrally manage their encryption keys and policies. Through the integration of the Thales CipherTrust Manager and VMware Cloud Director (VCD) solutions, partners within the VMware Sovereign Cloud ecosystem are well-equipped to meet the data sovereignty demands of their customers. This robust fusion enables Service Providers and Enterprises alike to effectively provide and oversee cloud services, all the while ensuring data control and adherence to diverse compliance standards.

Running on VMware Sovereign Cloud Stack on VMware Cloud Foundation

In today's climate of heightened data sovereignty concerns and stringent regulations, implementing a Sovereign Cloud Stack on VMware Cloud Foundation provides organizations with a means to construct a compliant, secure, and location-specific cloud infrastructure. VMware Cloud Foundation (VCF) serves as a robust platform for the automated management of cloud environments, and the Sovereign Cloud Stack is a tailored extension designed to address the distinct needs of specific regions and industries.

Use Cases

1. Tenants bringing their own Encryption Key:

In the field of data security, the notion of 'Tenants Bringing Their Own Encryption Keys' (BYOK) is increasingly significant. BYOK entails organizations, often cloud tenants, having the capability to oversee and regulate the encryption keys used to protect their data. This practice delivers multiple advantages, including compliance, control over data, alignment with regulations, and an overall boost in data security. In a climate marked by escalating data breaches and privacy issues, BYOK represents a strategic means of safeguarding sensitive information while harnessing the benefits of cloud and multi-cloud environments.

2. Tenants bringing their own Key Management Server

The trend of tenants adopting their own Key Management Servers for data encryption marks a substantial evolution in data security and control. This practice grants organizations the ability to customize encryption methods, meet regulatory requirements, and strengthen data security while reducing vendor lock-in risks. In a data-driven landscape plagued by breaches and privacy issues, owning and managing a KMS emerges as a strategic path to protect sensitive information. It's especially advantageous for organizations seeking precise, compliant data security solutions in multi-cloud or hybrid cloud environments.

Targeted for Regulated Enterprises and VMware Sovereign Cloud Providers

Designed with a specific focus on regulated enterprises and VMware Sovereign Cloud providers, this solution offers a tailored approach to meet the unique demands and compliance requirements of these organizations. In a landscape where data security, sovereignty, and adherence to regulations are paramount, this offering provides the necessary tools and capabilities to address the needs of industries such as healthcare, finance, government, and more. By aligning with the requirements of these sectors, this solution enhances data protection, privacy, and regulatory compliance, making it an ideal choice for enterprises and cloud providers operating in these highly regulated and sensitive environments.

The Benefits for Enterprises and Cloud Providers

The seamless integration of Thales CipherTrust Manager into the VMware Sovereign Cloud program allows customers and cloud partners to provide a comprehensive solution for safeguarding and overseeing data in multi-cloud environments, effectively resolving issues related to data sovereignty and security.

Thales CipherTrust Manager delivers robust enterprise key management across on-premises data repositories and cloud infrastructures to centrally manage encryption keys and configure security policies so organizations can remain in control of sensitive data in the cloud, on-premises, and across hybrid environments.

This integration brings a host of invaluable benefits for both cloud service providers and their discerning customers.

  • Meet Compliance and Security Requirements: Through the seamless integration of CipherTrust Manager's robust key management features into VMware Sovereign Cloud, data is safeguarded against unauthorized access, enabling customers to effectively fulfill their compliance requirements with confidence. Thales Luna HSMs (on-premises and Luna Cloud HSM Services available on Thales Data Protection on Demand), can integrate with CipherTrust Manager to provide a FIPS 140-2 Level 3 certified hardware root of trust. This ensures separation between sensitive data and encryption keys, helping to fulfill compliance and security requirements.
  • Accelerate Customer Workload Migration: The integration simplifies the migration journey, allowing Cloud Service Providers to swiftly onboard customers onto VMware Sovereign Cloud services. The increased speed and agility contribute to higher customer satisfaction levels, enabling the swift adoption of sovereign cloud environments while maintaining data security and control intact.
  • Grant the Right Data Controls: Data sovereignty is all about maintaining control over where and how data is stored and processed. By integrating Thales CipherTrust key management capabilities, VMware Sovereign Cloud Partners can assure the customers that their data remains within the desired jurisdiction, subject to the proper regulatory boundaries. This level of control extends beyond geographical borders and regulations, allowing Cloud Service Providers to facilitate data governance according to their customer's unique requirements.

This collaboration exemplifies the unified dedication of Thales and VMware in delivering a seamless, secure, and streamlined cloud experience, firmly rooted in the essential principles of data sovereignty.

For more information on the VMware Sovereign Cloud and Thales CipherTrust Data Security Platform integration, download the solution brief, Thales CipherTrust Manager and VMware Cloud Director Encryption Management Solution.