Feeds

HyTrust goes ballistic with virty compliance appliance

Locks down Vblock clouds

Internet Security Threat Report 2014

VMworld 2012 The US Air Force doesn't let a single operator of a missile site launch a nuke all by his or her lonesome, and HyTrust, a maker of policy management and access control software for VMware virtual infrastructure, thinks IT shops should adopt the secondary approval rule for a lot of things that go on inside of the ESXi hypervisor and its vCenter management console.

"VMware has a great platform, which enables all kinds of neat stuff, but it can all be controlled by a single system admin who could take down all of the virtual infrastructure at the company either accidentally or maliciously," says Eric Chui, founder and president of HyTrust.

And don't think it hasn't happened. Chui cites the case of a disgruntled former employee at Shionogi Pharmaceuticals, who was laid off from the Japanese company but had left a backdoor into the corporate network. This former employee waited a few weeks, logged in from a hotspot at a local McDonalds, and shut down and deleted 88 virtual machines running at the company. The entire virtual infrastructure had to be rebuilt from tape.

To use another metaphor, most companies typically require a second signature on any checks above $5,000, and adding secondary approval to the VMware vSphere virtualization stack, which the new HyTrust 3.0 compliance appliance does, seems sensible. In fact, it is a wonder that such capability is not already in vCenter and the ESXi hypervisor or that VMware has not already snapped up HyTrust to add its tool to the vSphere stack.

A lot of companies are trying to implement two-person approval on big changes to virtual infrastructure through company policies, but Chui says it is much easier and obviously more effective (knowing the nature of people, who make mistakes or get irrational sometimes) to automate this in software.

The HyTrust appliance itself runs inside of an ESXi virtual machine, often on the same physical box that runs the vCenter management console for ESXi, and it intercepts all inbound and outbound traffic from vCenter and creates audit reports for what people are doing as well as acting as a traffic cop, giving access control to specific VMs as well as hypervisor and console features.

The prior HyTrust 2.5 appliance had object-based and role-based access controls for virty infrastructure, and now with HyTrust 3.0, the appliance is getting secondary approval workflows to make sure no one can go rogue. HyTrust Appliance 3.0 is also getting enhancements that let it secure multi-tenant clouds by beefing up virtual network segmentation.

The update also has a new labeling scheme that wraps around VMs and their applications and resources to keep admins from one part of a cloud from gaining access to another part of a cloud where they don't belong.

HyTrust Appliance 3.0 was developed against VMware's new ESXi 5.1 hypervisor, but has not been certified against it yet since that code is not shipping at the moment. A couple of months after the vSphere 5.1 stack has been in the field, HyTrust will roll out official support for ESXi 5.1. At the moment, HyTrust Appliance 3.0 can run against ESX 3.5, 4.0, 4.1, and 5.0 hypervisors in either the ESXi or ESX Server editions. (ESX Server, which embedded a management console inside the hypervisor, was discontinued with the 5.0 release.)

HyTrust no longer sells hardware appliances and only offers its code inside of a VM as a software appliance. The Community Edition is a full-featured compliance and access control freak but it is limited to a maximum of three ESX host systems.

The Enterprise Edition has no host limit and costs $750 per socket for a perpetual license, on top of which you pay for annual maintenance and tech support. The HyTrust console can run independently of vCenter, but there is a plug-in if you want to invoke HyTrust from within vCenter.

Chui tells El Reg that HyTrust is looking at supporting other server virtualization hypervisors as well as public clouds that sport non-VMware hypervisors as well as custom control freakage for future releases, but has made no commitment to offer such support at this time. This stands to reason with VMware providing about half of HyTrust's customer leads.

And a new partnership with the Virtual Computing Environment partnership between Cisco Systems and EMC similarly makes sense. "About 25 per cent of our pipeline is companies buying Vblocks," says Chui, "and they are usually large enterprises that are trying to take the build out of plan, build, and run as they stand up clouds."

Under the partnership with VCE, HyTrust is VCE's only go-to-market partner for access control and compliance auditing for Vblock clouds running VMware's ESXi hypervisor.

The HyTrust appliance knows how to integrate with Cisco's Unified Computing System modular systems and its on-board UCS Manager control freak as well as Nexus switches (physical or virtual), ESXi hypervisors and virtual switches, and MDS switches linking out to EMC storage arrays.

Vblocks are preconfigured stacks of Cisco and EMC hardware sold and supported by the VCE collective. At the moment, HyTrust is certified to work with Vblock Series 300 and Series 700 clouds. ®

Internet Security Threat Report 2014

More from The Register

next story
The cloud that goes puff: Seagate Central home NAS woes
4TB of home storage is great, until you wake up to a dead device
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
Intel offers ingenious piece of 10TB 3D NAND chippery
The race for next generation flash capacity now on
Want to STUFF Facebook with blatant ADVERTISING? Fine! But you must PAY
Pony up or push off, Zuck tells social marketeers
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
SAVE ME, NASA system builder, from my DEAD WORKSTATION
Anal-retentive hardware nerd in paws-on workstation crisis
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.