HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

Transcription

1 WHITE PAPER HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

2 Summary Summary Compliance with PCI, HIPAA, FISMA, EU, and other regulations is as critical in virtualized and private cloud environments as it is in the traditional data center. The VMware platform provides some of the log data required to show compliance, but there are large logging gaps such as no unique user ID for every administrative operation and no records of denied operations that can only be filled with a purpose-built solution. HyTrust delivers the missing log data while securing virtual infrastructure access. Enterprises can now increase profitability by securely virtualizing workloads that must stay compliant.

3 Why HyTrust Virtualization Under Control HyTrust has become the de facto standard for access control and policy enforcement in VMware environments. By filling gaps in virtual infrastructure security and compliance, HyTrust gives enterprises the assurance they need to virtualize their mission critical applications and reap the associated financial benefits. HyTrust Appliance enforces role-based and asset-based policies covering VMware privileged users, resources, and management interfaces. The HyTrust approach to virtualizing Tier 1 workloads securely also includes comprehensive, audit-quality logging; stronger authentication for the VMware platform; and protections for virtual infrastructure integrity. 1

4 Your Challenge Your Challenge Many enterprises have virtualized, or want to virtualize, workloads subject to compliance requirements. Their goal is to extend the operational benefits and cost savings they ve received from virtualizing lower tier workloads. However, IT organizations that worked hard to make their data centers compliant are increasingly concerned about the potential for costly audit failures or compliance violations in their virtual environments. In addition, they often need to meet IT governance requirements, including passing internal audits, to get the security affirmation needed to virtualize Tier 1 workloads with compliance requirements. At the same time, enterprises are realizing that virtualization platform on its own has security and regulatory compliance limitations that can make virtualizing sensitive workloads a high risk proposition. Some enterprises have already failed a security audit because of an unmet requirement related to virtualization. Many compliance challenges in the virtual environment involve authentication and access control, which are primary requirements of most information security regulations. For instance, PCI DSS v2.0 has a section titled Implement Strong Access Control Measures with requirements categories Restrict access to cardholder data by business need to know (#7) and Assign a unique ID to each person with computer access (#8). The Health Insurance Portability and Accountability Act (HIPAA) includes requirements categories such as Information Access Management and Access Control. The National Institute of Standards and Technology (NIST) guidelines for the Federal Information Security Management Act (FISMA) includes control families Access Control and Identification and Authentication. These compliance categories usually have specific requirements for tracking administrative identity and activity. The PCI standard provides a representative list: Requirement for a documented approval by authorized parties specifying required privileges. Assign all users a unique ID before allowing them to access system components. Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. Implement automated audit trails for all system components to reconstruct: All actions taken by any individual with root or administrative privileges Access to all audit trails Use of identification and authentication mechanisms Initialization of the audit logs Creation and deletion of system-level objects These requirements can only be fulfilled by compiling comprehensive, readily accessible logs of all activity by each administrative or privileged user of the virtual infrastructure. The logs must cover all use of the platform, including access through different management interfaces. The log data needed to prove compliance includes: Unique ID of the privileged user associated with every attempted operation Source IP address of each attempt Identities and before-and-after states of reconfigured resources such as virtual network adapters Records of denied or failed operations 2

5 Our Solutions Our Solution HyTrust Appliance records all the VMware privileged user log data needed to achieve compliance in the virtual environment. It creates an audit trail with the essential details of every successful and failed operation - conducted through any vsphere administrative interface - and associates a unique user ID with every record. HyTrust Appliance automatically compiles the logs from vcenter and all vsphere hosts in a uniform, easily accessible format. It then forwards the data to a central repository via syslog or to HP ArcSight, Splunk applications, RSA envision, or McAfee epolicy Orchestrator (epo) based on native integration with those SIEM and log management solutions. HyTrust logs a unique user ID for every permitted and denied operation, and records other essential information that auditors require to certify compliance In addition to providing a unique user ID for every event, HyTrust supplements the log data available from the virtualization platform with other information needed for compliance, including: Source IP addresses of operation attempts Hypervisor configuration changes Identities of reconfigured resources, including virtual machines, networks, and datastores Previous resource state New resource state Labels of virtual assets (e.g., Production or DMZ) Privileges required to conduct an operation Operation denials and failures, with additional details such as missing privileges 4

6 Your Challenge Enterprises are increasingly discovering that the vsphere platform does not give them this data. VMware privileged users typically share a root account, making it impossible to assign a unique user ID to every logged event. Furthermore, privileged users can completely bypass the platform s logging mechanisms in various ways, such as directly connecting to a host server via SSH. Relying on the platform s logging capabilities can also drain IT productivity. Logs compiled by the vcenter management application are in a different format than the logs on the hosts, and there is no mechanism for automatically compiling host logs in a central location. In addition, the platform lacks native integration with leading SIEM and log management applications such as HP ArcSight, Splunk, RSA envision, and McAfee epolicy Orchestrator (epo). This makes it difficult for the enterprise to gain a single view of security and compliance spanning the traditional data center, the virtual infrastructure, and private clouds. 3

7 Our Solutions When an enterprise uses HyTrust s unique Secondary Approval process to block a user s attempted operation until a designated party approves it, HyTrust Appliance logs the requestor and approver IDs, the date and time of the request whether the action was approved/denied, and the time window for executing an approved request. HyTrust s comprehensive log data also enables forensic analysis of possible security breaches in the virtual environment, promoting both privileged user accountability and a stronger overall security posture. This security benefit, along with primary HyTrust functions such as granular role- and asset-based access control, hypervisor configuration hardening, and support for two factor authentication, magnifies the compliance value HyTrust provides. HyTrust Appliance is pre-integrated with leading SIEM and log management solutions such as this Splunk dashboard By automating log processing and filling gaps in the virtualization platform s logs, HyTrust helps prevent costly audit failures and compliance violations while increasing virtualization operations productivity. For more information on how HyTrust enables greater virtualization of workloads that must stay compliant, visit questions to sales@hytrust.com, or call HyTrust at [ ] for a free consultation. 5