There is an ever increasing amount of money and resources spent to protect the physical systems running your virtual infrastructure. From physical and biometric locks on racks, server rooms, and buildings; to cameras, fences, and even armed guards. But what about virtual systems themselves? There are no gate locks or walls inside a virtualized infrastructure. Can you keep a 3rd party admin from taking a copy of a virtual disk home to do what they will? Or even log that is was done? Or, proactively stop rogue software on a virtual host from modifying or inspecting guest servers? Virtualization, storage, and administrators all have access to the virtual fabric of servers, such as Active Directory or critical databases, so these questions are important. Enter Hyper-V 2016, Shielded Virtual Machines and TPM v2.
Microsoft has built a virtualization fabric capable of protecting tenant workloads from inspection, theft, and tampering from malware and system administrators both at rest as well as in flight. Within Hyper-V 2016, these protected workloads are referred to as “Shielded VMs”. Protection is based in hardware where TPM v2 provides rigorous attestation for Hyper-V 2016 Gen 2 VMs.
Using TPM v2 endorsement keys, code integrity policies and approved VM templates, Hyper-V and the Host Guardian Service prevents fabric administrators from attempting to inspect, tamper with, or accessing data from the contents or state of shielded VMs. Hyper-V administrators can’t even see the video output or explore the disk contents of shielded VMs.
Both the host and the VM must pass measured health checks using TPM v2 in order to run Shielded VMs. Virtualization hosts must attest to the Host Guardian Service on the network to get keys to start shielded VMs. Attacking the virtualization hosts changes the systems attestation and the Host Guardian Service will not release encryption keys needed to start the VM. Similarly, the VMs (using virtual TPM v2) must present healthy measured attestation logs in order to start.
Microsoft invested deeply into ensuring your hosts and VMs can be born healthy and remain healthy. A simple adoption path is provided starting with the Admin-trusted mode that is easily migrated to TPM-trusted as the Hyper-V hosts are upgraded. You get all the benefits using either mode, but TPM-trusted continually measures virtualization hosts where Admin-Trusted hosts are attested by group membership to the Host Guardian Service. The vTPM built into Gen 2 Hyper-V is designed to migrate across platforms as systems are updated. You can start with a self-signed certificate to enforce strong separation within your organization or integrate PKI to increase security and extend to authorize other Hyper-V 2016 systems.
Backup and recovery at the VM level will be the same, as long as the recovery target is known by the Host Guardian Service. This will require recovery at the file level for protected Shielded VMs using a trusted virtualization host.
Exciting stuff for an organization to protect secrets while extending their data centers and allowing service providers to confirm for customers that their secrets are safe.
For more information, Dean Wells led some great sessions at Microsoft Insight earlier this year. Take time to watch his videos linked below.
Unitrends will soon be releasing support for Hyper-V 2016. To give Hyper-V 2016 and Unitrends a test run, sign up for our beta program today.