Containers 101: 10 Terms To Know

HyTrust, a security firm working on virtualization, has released HyTrust CloudControl 4.5 as an add-on to VMware's NSX software-defined networking. This new version of CloudControl places role-based access controls on NSX network segments.

Release 4.5 moves security down into the virtualization layers of an NSX-based network. This allows each segment to take on its own security aspects and enables one physical network to host many different types of subnets.

In effect, each micro-segment of the network can be operated on a zero-trust model, said Eric Chiu, president and cofounder of HyTrust, which has been a longtime VMware security partner. Only those with the correct role and access permission get to use the segment. The enforcement can be automatically scaled across thousands of small, virtual nets, he said in an interview at VMworld this week in San Francisco.

In addition, CloudControl 4.5 separates those who are authorized to set the access permissions and operate the virtualized network from those who can monitor it. That separation "ensures that only authorized personnel can configure security controls and policies," said Chiu.

VMware leadership, including Martin Casado, senior vice president of networking; Tom Corn, senior vice president of security products; and Bruce Davie, CTO of networks, have been joined by third parties such as Chiu in saying the nature of the virtualized data center, with its virtual machines and subdivided virtual networks, is so different that IT's thinking is still struggling to catch up with the new reality.

"The idea of the physical data center, with 1u and 2u rack-mount servers, that's all amorphous now. Those servers are just [virtual machine] files," connected by a virtual network, noted Chiu.

Security needs to move deep into the infrastructure, not just at the edge in firewalls or elsewhere "inspecting packets on the network." Communications between servers within the data center have tended to be left unprotected by the older model.

CloudControl monitors activity inside the data center -- not only the activity of network administrators and operators, but also the communications between servers -- and watches for patterns of misbehavior. If someone has just been denied permission 30 times for trying to do something that his role does not permit, his actions are blocked until the activity is investigated. If someone attempts to change a production resource, a two-man rule is applied. The action is blocked until an authorized manager approves it.

For NSX, CloudControl ensures that authentication and authorization requirements are met. These may  include two-factor authentication, tokens, smart cards, Unix's time-honored TACACS+, and the IETF's Radius standard. The 4.5 release is one sign of how third-party security vendors are beginning to take NSX seriously and add on finer-grained controls than available in the general market.

[Want to learn more about NSX security? See VMware Expanding NSX Security.]

In a similar vein, HyTrust will announce later this month DataControl Version 3.0 for locking down virtual machines and securing the data they carry. The protection is intended to apply from the moment of provisioning until the VM is decommissioned.

As VMware, Citrix, and Microsoft have already done, HyTrust is working with Intel Xeon hardware control to test and verify that the hardware claimed is the actual platform that is present. Intel has built in Trust Execution Technology (TXT) to check that an authentic version of the operating system has started in a trusted environment, resulting in a trusted system.

Chiu gave the example of an Active Directory Domain Controller as a server that is a good target to virtualize, since it's engaged in heavy use a few times a day and light use throughout much of the day. By putting a Domain Controller on a scalable virtual machine, fewer resources are tied up in its operation than would be if all Domain Controllers needed their own physical servers.

Fred Kost, HyTrust senior vice president of marketing, said a large toy retailer "was about ready to spend $3 million to refresh the hardware for its Domain Controllers" but decided to virtualize them instead, saving part of the expense. It used HyTrust to secure the virtual machines, since a compromise of the Domain Controllers would have led to many compromises around the company.

DataControl 3.0 encrypts the virtual machines and their data at rest. Data remains encrypted in transit until the moment of use inside the virtual machine, whose boundaries help protect the data from would-be thieves or intruders. It ensures physical servers, such as the Domain Controller hosts, are running authentic operating systems in a trusted environment.

It also extends what HyTrust calls its boundary controls by using TXT to prohibit VMs from running on authorized hardware, Kost said in an interview.

These additions to the security profile of virtual machine operation show how security measures can be embedded more deeply in the infrastructure of a virtualized environment. They make the degree of strictness and control less of a judgment call or manual operation and more of a policy-enforced one, Chiu said.

CloudControl 4.5 is generally available, with pricing for NSX protection starting at $1,650 per NSX socket.