We all know VMware talk a lot about intrinsic security, which is the idea that security in a vSphere environment is baked into the product at a deep level, not as a need-based integration. vSphere Trust Authority (vTA) is a tool to help ensure that our infrastructure is safe & secure, and to ensure that if its security is ever in question we act to repair it.

Once the vTA management cluster is established it handles two big tasks.

First, it takes over the distribution of the encryption keys from the Key Management Servers (KMS). This means that vCenter Server no longer is in the critical path for those keys, which also means that we can encrypt vCenter Server to protect it.

Second, vTA handles the attestation of other hosts. Because vTA handles the encryption keys, if a host fails attestation vTA will withhold the keys from it. This prevents secure workloads from moving to that host until the problem can be resolved. That is exactly any customer want, since we do not want our secrets being given to potentially untrustworthy servers.

vSphere Trust Authority is a new and very foundational technology right now, helping customers to build trust in customer hardware and software configurations at deeper levels. At first glance it might look like vSphere Trust Authority is adding complexity, with a separate cluster and additional configuration work. However, security-oriented customers with larger deployments will find that this has the very real potential to simplify operations in their environments. The vTA management cluster can be used to attest thousands of hosts and clusters, so the cost and complexity of that cluster is offset by the lower risk and higher trust that vTA brings to their entire enterprise.