HyTrust Claims Advances In Virtual Data Center Ops - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Infrastructure as a Service
News
9/4/2015
09:15 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

HyTrust Claims Advances In Virtual Data Center Ops

VMware security partner HyTrust has been pushing new steps in virtual machine and virtual network operations, including role-based access.

Containers 101: 10 Terms To Know
Containers 101: 10 Terms To Know
(Click image for larger view and slideshow.)

HyTrust, a security firm working on virtualization, has released HyTrust CloudControl 4.5 as an add-on to VMware's NSX software-defined networking. This new version of CloudControl places role-based access controls on NSX network segments.

Release 4.5 moves security down into the virtualization layers of an NSX-based network. This allows each segment to take on its own security aspects and enables one physical network to host many different types of subnets.

In effect, each micro-segment of the network can be operated on a zero-trust model, said Eric Chiu, president and cofounder of HyTrust, which has been a longtime VMware security partner. Only those with the correct role and access permission get to use the segment. The enforcement can be automatically scaled across thousands of small, virtual nets, he said in an interview at VMworld this week in San Francisco.

In addition, CloudControl 4.5 separates those who are authorized to set the access permissions and operate the virtualized network from those who can monitor it. That separation "ensures that only authorized personnel can configure security controls and policies," said Chiu.

VMware leadership, including Martin Casado, senior vice president of networking; Tom Corn, senior vice president of security products; and Bruce Davie, CTO of networks, have been joined by third parties such as Chiu in saying the nature of the virtualized data center, with its virtual machines and subdivided virtual networks, is so different that IT's thinking is still struggling to catch up with the new reality.

(Image: maxkabakov/iStockphoto)

(Image: maxkabakov/iStockphoto)

"The idea of the physical data center, with 1u and 2u rack-mount servers, that's all amorphous now. Those servers are just [virtual machine] files," connected by a virtual network, noted Chiu.

Security needs to move deep into the infrastructure, not just at the edge in firewalls or elsewhere "inspecting packets on the network." Communications between servers within the data center have tended to be left unprotected by the older model.

CloudControl monitors activity inside the data center -- not only the activity of network administrators and operators, but also the communications between servers -- and watches for patterns of misbehavior. If someone has just been denied permission 30 times for trying to do something that his role does not permit, his actions are blocked until the activity is investigated. If someone attempts to change a production resource, a two-man rule is applied. The action is blocked until an authorized manager approves it.

For NSX, CloudControl ensures that authentication and authorization requirements are met. These may  include two-factor authentication, tokens, smart cards, Unix's time-honored TACACS+, and the IETF's Radius standard. The 4.5 release is one sign of how third-party security vendors are beginning to take NSX seriously and add on finer-grained controls than available in the general market.

[Want to learn more about NSX security? See VMware Expanding NSX Security.]

In a similar vein, HyTrust will announce later this month DataControl Version 3.0 for locking down virtual machines and securing the data they carry. The protection is intended to apply from the moment of provisioning until the VM is decommissioned.

As VMware, Citrix, and Microsoft have already done, HyTrust is working with Intel Xeon hardware control to test and verify that the hardware claimed is the actual platform that is present. Intel has built in Trust Execution Technology (TXT) to check that an authentic version of the operating system has started in a trusted environment, resulting in a trusted system.

Chiu gave the example of an Active Directory Domain Controller as a server that is a good target to virtualize, since it's engaged in heavy use a few times a day and light use throughout much of the day. By putting a Domain Controller on a scalable virtual machine, fewer resources are tied up in its operation than would be if all Domain Controllers needed their own physical servers.

Fred Kost, HyTrust senior vice president of marketing, said a large toy retailer "was about ready to spend $3 million to refresh the hardware for its Domain Controllers" but decided to virtualize them instead, saving part of the expense. It used HyTrust to secure the virtual machines, since a compromise of the Domain Controllers would have led to many compromises around the company.

DataControl 3.0 encrypts the virtual machines and their data at rest. Data remains encrypted in transit until the moment of use inside the virtual machine, whose boundaries help protect the data from would-be thieves or intruders. It ensures physical servers, such as the Domain Controller hosts, are running authentic operating systems in a trusted environment.

It also extends what HyTrust calls its boundary controls by using TXT to prohibit VMs from running on authorized hardware, Kost said in an interview.

These additions to the security profile of virtual machine operation show how security measures can be embedded more deeply in the infrastructure of a virtualized environment. They make the degree of strictness and control less of a judgment call or manual operation and more of a policy-enforced one, Chiu said.

CloudControl 4.5 is generally available, with pricing for NSX protection starting at $1,650 per NSX socket.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
9/4/2015 | 2:04:39 PM
It depends...
Always a good question, Li, and one that can only be answered on a case by case basis.
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
9/4/2015 | 11:58:06 AM
Endless war
The cloud security is always a hot topic and the war is endless. To me the role-based access is the right strategy but the effectiveness depends on how robust the security model is. In other words, is the role definition/data model flawless to mitigate possible attacks?
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Commentary
Enterprise Guide to Multi-Cloud Adoption
Cathleen Gagne, Managing Editor, InformationWeek,  9/27/2019
Commentary
5 Ways CIOs Can Better Compete to Recruit Top Tech Talent
Guest Commentary, Guest Commentary,  10/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll