With more and more workloads (applications and data) virtualized and cloudinized the need for patrolling the border with Hytrust Boundary Controls is desperately needed. Virtualization and the cloud make data security more complicated. Virtual machines are by nature dynamic and highly portable. The benefits of virtual machines are also its biggest risk! Because they are simply a set of files (encapsulation). They can be spun up, suspended, copied, or deleted with ease. Further, they contain everything needed to run an application or workload, largely independent of the underlying hardware (Decoupling). Historically, there has been no automated way to ensure these workloads can only be instantiated on a specific, designated, or trusted server, in a trusted location.

Patrolling the Cloud border with HyTrust Boundary Controls

With HyTrust Boundary Controls, customers can now set policies so that virtualized applications can only run on proven, trusted hosts, that are physically located within the defined parameters. This can significantly reduce the potential for theft or misuse of sensitive data or violation of regulatory compliance laws. The foundation for Boundary Controls is rooted in Intel Trusted Execution Technology (Intel TXT): Intel TXT provides processor level attestation of the hardware, BIOS and hypervisor, allowing sensitive workloads to run on a trusted platform. HyTrust, leveraging jointly-developed tools and solution components built on this root of trust, now has capabilities to securely store and propagate an asset/location descriptor that gives administrators control over where workloads can be executed. Intel TXT helps verify platform trust status. HyTrust policies can enforce that sensitive virtual workloads only run on trusted systems.

With HyTrust CloudControl TM 4.0, customers can assign labels that bind a virtual machine to a predefined location – such as a specific data-center or within a country boundary. If the virtual machine is copied or moved outside of this location, it simply will not run. This is done by VM Geo-Fencing which allows certain virtual servers to be run only on hardware in a specific location. With HyTrust DataControl TM 2.5, an additional policy around encryption is added. Customers are ensured that data cannot be decrypted in the event the VM is moved outside of defined parameters. This reduces the possibility of theft or accidental exposure of sensitive or regulated data.

In summary there are three primary factors driving the need for Boundary Controls in the cloud.

  1. Geographical Mandates: There are a burgeoning number of privacy and data sovereignty laws – such as those in Australia, Canada and Europe – that require that data stay within country borders. As organizations expand their cloud deployments, they are increasingly concerned about how easily virtualized data sets can be moved across geographies, national boundaries, or legal jurisdictions.
  2. Zoning: Organizations have traditionally kept data of different risk classifications physically separate by “air gapping” servers and applications. As companies adopt virtualization and cloud computing for mission-critical or regulated applications, they seek ways to create secure zones and enclaves within this consolidated infrastructure.
  3. Availability and Uptime: Human error accounts for a significant percentage of datacenter downtime. Virtualization makes it easier for simple errors to have far-reaching impact — a virtual machine can be suspended or deleted in a mouse click. If that VM is running your credit card processing system, the implications and cost can be enormous. IT organizations consistently seek to ensure availability; and for cloud service providers, uptime is also mission critical.