We consider the hardware-based solution to be the most secure, as it has some features that are not present in the virtual solution.
- Does not allow intrusion through the virtualization supervision system;
- Protection of the cryptographic key in hardware;
- Disk Encryption: Disks are encrypted so that they cannot be read on another physical server;
- Protection of physical access to the vault in data centers and controlled access locations;
- Physical access protection to disks: disks can be internal and cannot be removed even if the attacker has access to the appliance;
- Allows data destruction in case of appliance breach.
As for availability?
Solution availability is a crucial point of a password vault project. In the virtualized solution, infrastructure availability is transferred to the virtualization environment, both for disaster recovery and high availability.
In the physical appliance solution, availability depends exclusively on the appliances. Therefore, a project with a physical safe must include at least two boxes working in high availability, and if possible three, with one of them in contingency in another location.
Disaster Recovery
In the appliance solution, disaster recovery technology is built into the solution. It is transparent to the customer and is the supplier’s full responsibility, not involving the contracting party’s operation. In this case, it is important that the disaster contingency solution has separate costs, which may need to be scaled when evaluating the project’s TCO.