HyTrust Secondary Approval Preventing Major Disaster
On Monday I had a great meeting with Eric Chiu, founder and president, of HyTrust.
We talked about the power administrators have in a virtual world nowadays. More and more data centers are turned into virtual datacenters (vDC) and are being automated too the max. So basically an organization gives any administrator a gun pointed at the heart of the organization. One person could harm a company BIG time from one pane of glass!
Fortunately we can do something against that now by doing a Secondary Approval like they have in the military to prevent accidental or malicious launch of nuclear weapons by a single individual. Eric continued: “Without proper controls in place, the expansion of virtualization will continue to grow, but we will see, in parallel, security and compliance concerns will increase rapidly.”
The HyTrust Appliance is not a physical piece of hardware. It’s a VMware vSphere compatible virtual appliance that’s deployed right alongside the rest of the virtual infrastructure. It can be deployed on the same hypervisor that it is actively protecting. HyTrust can ensure that certain workloads are only permitted to boot up on specific hosts or specific clusters, which is critical for compliance with PCI-DSS, HIPO or ISO27000/1. Through a partnership with Intel, HyTrust can verify the integrity of the physical hardware of the host to ensure that the underlying platform is fully trusted. Through its unique ability to label virtual objects and then apply policies to those labels, HyTrust Appliance offers flexibility and control that’s unmatched.
With a HyTrust Appliance in place, there are no anonymous changes to the virtual infrastructure. All administrative access must first be authenticated. HyTrust can leverage any pre-existing investment in LDAP or AD. You can also use two-factor authentication with SecureID or Smart cards for an even tighter security. In the event that root access is required, HyTrust Appliance features root password vaulting, which enables certain administrators to check out a temporary password for one-time access. The main benefit is that organizations can confidently declare that all access to the environment may be tied back to a specific individual—a critical requirement in security and compliance-conscious data centers.
HyTrust Appliance inspects every virtual infrastructure change request, approving or denying it in accordance with your defined policies. These policies are fully customizable and flexible enough to handle any complex situation. With its unique ability to classify and apply rules to specific virtual objects, HyTrust Appliance breaks free of rigid, two- dimensional, role-based access controls and enables complex, higher-level use cases such as compliance and private cloud. This way you can separate security from management.
First and foremost, as a core element of the infrastructure, vCenter serves in a vital capacity for virtual infrastructure—the “brains” of the operation. As such it should be protected from threats. Even though vCenter has some built-in access control and capabilities, it is a security best practice to separate the management functions from the security functions so that vCenter does not become a single point of failure. Access should be limited not just from within vCenter but rather should be limited to vCenter. Placing vCenter behind the protection of HyTrust Appliance ensures that vCenter remains less vulnerable to improper access and can continue to serve in its primary management function without interruption.
Lastly, it is worth noting that vCenter was built from the ground up as a management application, not a security application. As such, vCenter was not built to provide the granularity in policy enforcement that is a requirement for more secure deployments. That lack of granularity in enforcement carries through to the logs, which are quite adequate for troubleshooting but lack the specificity demanded by auditors. vCenter also lacks a federated architecture, which again makes it susceptible to becoming a single point of failure and also makes it difficult to deploy consistent policies across a large enterprise.
I see this will become more and more viable for deployments in the financial, health care and government sectors because of the compliance and risk reducing factors, but also any business that cant be down for more than a day this is something to truly think about how many power a single person will get. So who do you give the power of a gun and where do you let them point it at!
This new feature will be in the HyTrust 3.0 appliance which will be released October 2012. The HyTrust Appliance Enterprise Edition will be around 750$ per CPU for each ESXi host.
A nice HyTrust in combination with Trend Micro whitepaper about Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security can be found here.
The (workflow) process how Secondary Approval works is like this:
An Administrator is trying to power off a Critical Database server for instance, he/she gets an error message stating that secondary approval is required, so he/she can go and asks for secondary approval. An other person gets an e-mail stating that a request is waiting in the HyTrust Dashboard, after giving out person which can be scheduled and even tied to specific dates and times the requester gets a message that the request is approved or denied. So he/she can do his work and continue with the task.