HyTrust Claims Advances In Virtual Data Center Ops - InformationWeek
IoT
IoT
Cloud // Infrastructure as a Service
News
9/4/2015
09:15 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

HyTrust Claims Advances In Virtual Data Center Ops

VMware security partner HyTrust has been pushing new steps in virtual machine and virtual network operations, including role-based access.

Containers 101: 10 Terms To Know
Containers 101: 10 Terms To Know
(Click image for larger view and slideshow.)

HyTrust, a security firm working on virtualization, has released HyTrust CloudControl 4.5 as an add-on to VMware's NSX software-defined networking. This new version of CloudControl places role-based access controls on NSX network segments.

Release 4.5 moves security down into the virtualization layers of an NSX-based network. This allows each segment to take on its own security aspects and enables one physical network to host many different types of subnets.

In effect, each micro-segment of the network can be operated on a zero-trust model, said Eric Chiu, president and cofounder of HyTrust, which has been a longtime VMware security partner. Only those with the correct role and access permission get to use the segment. The enforcement can be automatically scaled across thousands of small, virtual nets, he said in an interview at VMworld this week in San Francisco.

In addition, CloudControl 4.5 separates those who are authorized to set the access permissions and operate the virtualized network from those who can monitor it. That separation "ensures that only authorized personnel can configure security controls and policies," said Chiu.

VMware leadership, including Martin Casado, senior vice president of networking; Tom Corn, senior vice president of security products; and Bruce Davie, CTO of networks, have been joined by third parties such as Chiu in saying the nature of the virtualized data center, with its virtual machines and subdivided virtual networks, is so different that IT's thinking is still struggling to catch up with the new reality.

(Image: maxkabakov/iStockphoto)

(Image: maxkabakov/iStockphoto)

"The idea of the physical data center, with 1u and 2u rack-mount servers, that's all amorphous now. Those servers are just [virtual machine] files," connected by a virtual network, noted Chiu.

Security needs to move deep into the infrastructure, not just at the edge in firewalls or elsewhere "inspecting packets on the network." Communications between servers within the data center have tended to be left unprotected by the older model.

CloudControl monitors activity inside the data center -- not only the activity of network administrators and operators, but also the communications between servers -- and watches for patterns of misbehavior. If someone has just been denied permission 30 times for trying to do something that his role does not permit, his actions are blocked until the activity is investigated. If someone attempts to change a production resource, a two-man rule is applied. The action is blocked until an authorized manager approves it.

For NSX, CloudControl ensures that authentication and authorization requirements are met. These may  include two-factor authentication, tokens, smart cards, Unix's time-honored TACACS+, and the IETF's Radius standard. The 4.5 release is one sign of how third-party security vendors are beginning to take NSX seriously and add on finer-grained controls than available in the general market.

[Want to learn more about NSX security? See VMware Expanding NSX Security.]

In a similar vein, HyTrust will announce later this month DataControl Version 3.0 for locking down virtual machines and securing the data they carry. The protection is intended to apply from the moment of provisioning until the VM is decommissioned.

As VMware, Citrix, and Microsoft have already done, HyTrust is working with Intel Xeon hardware control to test and verify that the hardware claimed is the actual platform that is present. Intel has built in Trust Execution Technology (TXT) to check that an authentic version of the operating system has started in a trusted environment, resulting in a trusted system.

Chiu gave the example of an Active Directory Domain Controller as a server that is a good target to virtualize, since it's engaged in heavy use a few times a day and light use throughout much of the day. By putting a Domain Controller on a scalable virtual machine, fewer resources are tied up in its operation than would be if all Domain Controllers needed their own physical servers.

Fred Kost, HyTrust senior vice president of marketing, said a large toy retailer "was about ready to spend $3 million to refresh the hardware for its Domain Controllers" but decided to virtualize them instead, saving part of the expense. It used HyTrust to secure the virtual machines, since a compromise of the Domain Controllers would have led to many compromises around the company.

DataControl 3.0 encrypts the virtual machines and their data at rest. Data remains encrypted in transit until the moment of use inside the virtual machine, whose boundaries help protect the data from would-be thieves or intruders. It ensures physical servers, such as the Domain Controller hosts, are running authentic operating systems in a trusted environment.

It also extends what HyTrust calls its boundary controls by using TXT to prohibit VMs from running on authorized hardware, Kost said in an interview.

These additions to the security profile of virtual machine operation show how security measures can be embedded more deeply in the infrastructure of a virtualized environment. They make the degree of strictness and control less of a judgment call or manual operation and more of a policy-enforced one, Chiu said.

CloudControl 4.5 is generally available, with pricing for NSX protection starting at $1,650 per NSX socket.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
9/4/2015 | 2:04:39 PM
It depends...
Always a good question, Li, and one that can only be answered on a case by case basis.
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
9/4/2015 | 11:58:06 AM
Endless war
The cloud security is always a hot topic and the war is endless. To me the role-based access is the right strategy but the effectiveness depends on how robust the security model is. In other words, is the role definition/data model flawless to mitigate possible attacks?
Commentary
Tech Vendors to Watch in 2019
Susan Fogarty, Editor in Chief,  11/13/2018
Commentary
Getting DevOps Wrong: Top 5 Mistakes Organizations Make
Bill Kleyman, Writer/Blogger/Speaker,  11/2/2018
Commentary
AI & Machine Learning: An Enterprise Guide
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  9/27/2018
Register for InformationWeek Newsletters
Video
Current Issue
The Next Generation of IT Support
The workforce is changing as businesses become global and technology erodes geographical and physical barriers.IT organizations are critical to enabling this transition and can utilize next-generation tools and strategies to provide world-class support regardless of location, platform or device
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll