Feeds

HyTrust goes ballistic with virty compliance appliance

Locks down Vblock clouds

Top three mobile application threats

VMworld 2012 The US Air Force doesn't let a single operator of a missile site launch a nuke all by his or her lonesome, and HyTrust, a maker of policy management and access control software for VMware virtual infrastructure, thinks IT shops should adopt the secondary approval rule for a lot of things that go on inside of the ESXi hypervisor and its vCenter management console.

"VMware has a great platform, which enables all kinds of neat stuff, but it can all be controlled by a single system admin who could take down all of the virtual infrastructure at the company either accidentally or maliciously," says Eric Chui, founder and president of HyTrust.

And don't think it hasn't happened. Chui cites the case of a disgruntled former employee at Shionogi Pharmaceuticals, who was laid off from the Japanese company but had left a backdoor into the corporate network. This former employee waited a few weeks, logged in from a hotspot at a local McDonalds, and shut down and deleted 88 virtual machines running at the company. The entire virtual infrastructure had to be rebuilt from tape.

To use another metaphor, most companies typically require a second signature on any checks above $5,000, and adding secondary approval to the VMware vSphere virtualization stack, which the new HyTrust 3.0 compliance appliance does, seems sensible. In fact, it is a wonder that such capability is not already in vCenter and the ESXi hypervisor or that VMware has not already snapped up HyTrust to add its tool to the vSphere stack.

A lot of companies are trying to implement two-person approval on big changes to virtual infrastructure through company policies, but Chui says it is much easier and obviously more effective (knowing the nature of people, who make mistakes or get irrational sometimes) to automate this in software.

The HyTrust appliance itself runs inside of an ESXi virtual machine, often on the same physical box that runs the vCenter management console for ESXi, and it intercepts all inbound and outbound traffic from vCenter and creates audit reports for what people are doing as well as acting as a traffic cop, giving access control to specific VMs as well as hypervisor and console features.

The prior HyTrust 2.5 appliance had object-based and role-based access controls for virty infrastructure, and now with HyTrust 3.0, the appliance is getting secondary approval workflows to make sure no one can go rogue. HyTrust Appliance 3.0 is also getting enhancements that let it secure multi-tenant clouds by beefing up virtual network segmentation.

The update also has a new labeling scheme that wraps around VMs and their applications and resources to keep admins from one part of a cloud from gaining access to another part of a cloud where they don't belong.

HyTrust Appliance 3.0 was developed against VMware's new ESXi 5.1 hypervisor, but has not been certified against it yet since that code is not shipping at the moment. A couple of months after the vSphere 5.1 stack has been in the field, HyTrust will roll out official support for ESXi 5.1. At the moment, HyTrust Appliance 3.0 can run against ESX 3.5, 4.0, 4.1, and 5.0 hypervisors in either the ESXi or ESX Server editions. (ESX Server, which embedded a management console inside the hypervisor, was discontinued with the 5.0 release.)

HyTrust no longer sells hardware appliances and only offers its code inside of a VM as a software appliance. The Community Edition is a full-featured compliance and access control freak but it is limited to a maximum of three ESX host systems.

The Enterprise Edition has no host limit and costs $750 per socket for a perpetual license, on top of which you pay for annual maintenance and tech support. The HyTrust console can run independently of vCenter, but there is a plug-in if you want to invoke HyTrust from within vCenter.

Chui tells El Reg that HyTrust is looking at supporting other server virtualization hypervisors as well as public clouds that sport non-VMware hypervisors as well as custom control freakage for future releases, but has made no commitment to offer such support at this time. This stands to reason with VMware providing about half of HyTrust's customer leads.

And a new partnership with the Virtual Computing Environment partnership between Cisco Systems and EMC similarly makes sense. "About 25 per cent of our pipeline is companies buying Vblocks," says Chui, "and they are usually large enterprises that are trying to take the build out of plan, build, and run as they stand up clouds."

Under the partnership with VCE, HyTrust is VCE's only go-to-market partner for access control and compliance auditing for Vblock clouds running VMware's ESXi hypervisor.

The HyTrust appliance knows how to integrate with Cisco's Unified Computing System modular systems and its on-board UCS Manager control freak as well as Nexus switches (physical or virtual), ESXi hypervisors and virtual switches, and MDS switches linking out to EMC storage arrays.

Vblocks are preconfigured stacks of Cisco and EMC hardware sold and supported by the VCE collective. At the moment, HyTrust is certified to work with Vblock Series 300 and Series 700 clouds. ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.