Feeds

HyTrust goes ballistic with virty compliance appliance

Locks down Vblock clouds

Remote control for virtualized desktops

VMworld 2012 The US Air Force doesn't let a single operator of a missile site launch a nuke all by his or her lonesome, and HyTrust, a maker of policy management and access control software for VMware virtual infrastructure, thinks IT shops should adopt the secondary approval rule for a lot of things that go on inside of the ESXi hypervisor and its vCenter management console.

"VMware has a great platform, which enables all kinds of neat stuff, but it can all be controlled by a single system admin who could take down all of the virtual infrastructure at the company either accidentally or maliciously," says Eric Chui, founder and president of HyTrust.

And don't think it hasn't happened. Chui cites the case of a disgruntled former employee at Shionogi Pharmaceuticals, who was laid off from the Japanese company but had left a backdoor into the corporate network. This former employee waited a few weeks, logged in from a hotspot at a local McDonalds, and shut down and deleted 88 virtual machines running at the company. The entire virtual infrastructure had to be rebuilt from tape.

To use another metaphor, most companies typically require a second signature on any checks above $5,000, and adding secondary approval to the VMware vSphere virtualization stack, which the new HyTrust 3.0 compliance appliance does, seems sensible. In fact, it is a wonder that such capability is not already in vCenter and the ESXi hypervisor or that VMware has not already snapped up HyTrust to add its tool to the vSphere stack.

A lot of companies are trying to implement two-person approval on big changes to virtual infrastructure through company policies, but Chui says it is much easier and obviously more effective (knowing the nature of people, who make mistakes or get irrational sometimes) to automate this in software.

The HyTrust appliance itself runs inside of an ESXi virtual machine, often on the same physical box that runs the vCenter management console for ESXi, and it intercepts all inbound and outbound traffic from vCenter and creates audit reports for what people are doing as well as acting as a traffic cop, giving access control to specific VMs as well as hypervisor and console features.

The prior HyTrust 2.5 appliance had object-based and role-based access controls for virty infrastructure, and now with HyTrust 3.0, the appliance is getting secondary approval workflows to make sure no one can go rogue. HyTrust Appliance 3.0 is also getting enhancements that let it secure multi-tenant clouds by beefing up virtual network segmentation.

The update also has a new labeling scheme that wraps around VMs and their applications and resources to keep admins from one part of a cloud from gaining access to another part of a cloud where they don't belong.

HyTrust Appliance 3.0 was developed against VMware's new ESXi 5.1 hypervisor, but has not been certified against it yet since that code is not shipping at the moment. A couple of months after the vSphere 5.1 stack has been in the field, HyTrust will roll out official support for ESXi 5.1. At the moment, HyTrust Appliance 3.0 can run against ESX 3.5, 4.0, 4.1, and 5.0 hypervisors in either the ESXi or ESX Server editions. (ESX Server, which embedded a management console inside the hypervisor, was discontinued with the 5.0 release.)

HyTrust no longer sells hardware appliances and only offers its code inside of a VM as a software appliance. The Community Edition is a full-featured compliance and access control freak but it is limited to a maximum of three ESX host systems.

The Enterprise Edition has no host limit and costs $750 per socket for a perpetual license, on top of which you pay for annual maintenance and tech support. The HyTrust console can run independently of vCenter, but there is a plug-in if you want to invoke HyTrust from within vCenter.

Chui tells El Reg that HyTrust is looking at supporting other server virtualization hypervisors as well as public clouds that sport non-VMware hypervisors as well as custom control freakage for future releases, but has made no commitment to offer such support at this time. This stands to reason with VMware providing about half of HyTrust's customer leads.

And a new partnership with the Virtual Computing Environment partnership between Cisco Systems and EMC similarly makes sense. "About 25 per cent of our pipeline is companies buying Vblocks," says Chui, "and they are usually large enterprises that are trying to take the build out of plan, build, and run as they stand up clouds."

Under the partnership with VCE, HyTrust is VCE's only go-to-market partner for access control and compliance auditing for Vblock clouds running VMware's ESXi hypervisor.

The HyTrust appliance knows how to integrate with Cisco's Unified Computing System modular systems and its on-board UCS Manager control freak as well as Nexus switches (physical or virtual), ESXi hypervisors and virtual switches, and MDS switches linking out to EMC storage arrays.

Vblocks are preconfigured stacks of Cisco and EMC hardware sold and supported by the VCE collective. At the moment, HyTrust is certified to work with Vblock Series 300 and Series 700 clouds. ®

Beginner's guide to SSL certificates

More from The Register

next story
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.