In the virtual realm, especially when one does not have direct access to the environment, there is just one way to protect data: full VM encryption. Unlike application encryption, VM encryption does not take into account what is on the virtual machine. It simply encrypts the file - vmdk in VMware, for example - that is on the virtual machine. That sounds simple enough, but there are several wrinkles that one needs to consider. SafeNet has considered them and, at least in the context of Amazon Web Services (AWS), has provided the right combination of hardware, software and services in its ProtectV AWS offering.
With ProtectV everything in the user's cloud is encrypted. This starts with secure provisioning and continues through the entire VM lifecycle, including VM destruction. The encryption is completely transparent and does not interfere with the applications running on the VM. It also takes into account that VMs go down for brief periods of time and it would be inconvenient to re-authenticate after every power spike or reboot during OS or application updating/patching.
Best of all, there is no way to fool the system into allowing unauthorized access simply by stealing the VM file and rebooting it on a different system. Authentication still will be required so the intruder makes no gains.
This, overall, is an impressive system and it addresses the lack of VM control in public clouds head-on. For private clouds, it is just as important, especially where multiple groups within the same organization share the cloud. The big strength of this one is its ability to secure at the VM level in a multitenant environment whether that environment is private or public.