QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud

Transcription

1 CASE STUD QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud The technology and expertise provided by HyTrust dramatically simplified the process of preparing for our FedRAMP certification. HyTrust added key administrative control and visibility into our virtual infrastructure, along with comprehensive and granular auditing. I wish deployments with all vendors went as smoothly as ours did with HyTrust. - Randall Poole, VP Cloud Services About QTS QTS has built a national portfolio of world-class data centers supported by best-in-class technology, infrastructure, and equipment as the foundation for their services. QTS owns, operates and manages facilities coast-to-coast encompassing approximately 4.7 million square feet of secure, state-of-the-art data center infrastructure supporting more than 850 customers. Their robust, redundant, fiber-rich facilities are strategically located in or near many of the nation s most important data center markets. In late 2012, QTS began an initiative to expand their business, adding two key cloud Infrastructure as a Service (IaaS) offerings: one targeted for commercial enterprises, and one for government, which would be FedRAMP certified. The Challenge QTS was building four VMware-based virtualized datacenters that would support their cloud offerings. QTS recognized that virtualized infrastructure Page 1

2 CASE STUD requires different security. Because virtualization and cloud infrastructure collapse applications, network and storage into a single software layer, administrators of this environment typically have very broad privileges. QTS understood this concentration of risk, and wanted to achieve the tightest security possible for their employees, and their customers. The company also wanted to enhance their security posture and offerings for commercial customers, and ensure their environment would achieve FedRAMP compliance. QTS chose HyTrust to provide these additional layers of administrative control and visibility: Predictive protection to improve controls over what administrators can and can t do Better isolation and compartmentalization within their mission critical and highly regulated virtual infrastructure Proactive increase in virtualization hardening, security posture and auditing Reduced risk of data center downtime, or destruction of data/intellectual property Securing the Next-Generation Datacenter with HyTrust QTS built out four new datacenter environments to support their cloud initiatives. The underlying hardware includes Cisco UCS servers with EMC storage and leveraging VMware for server virtualization. Two datacenters are allocated for a fully redundant, high availability and FedRAMP-compliant cloud, and the other two for a highly secure commercial cloud offering. HyTrust Improves Security, Simplifies FedRAMP Compliance HyTrust CloudControl is a virtual appliance deployed as a control point between administrative traffic from all protocols, including VIC, SSH or a web UI, and vcenter and ESXi hosts. CloudControl added a number of capabilities that were critical for FedRAMP compliance, including: Page 2

3 CASE STUD Platform hardening: HyTrust CloudControl offers a range of templates that are used to harden the hypervisor. If the platform drifts from these recommended settings, CloudControl will automatically notify the appropriate administrator and reset the platform according to the template. QTS leveraged HyTrust s FedRAMP template for their implementation. Create compartmentalization and administrative multi-tenancy: This will help protect vcloud Director assets from accidental misconfiguration or compromise. CloudControl s unique tag-based access controls (TBAC) allow QTS to tag or label certain assets, ensuring that they can only be managed by the appropriate administrator. Improved log quality: CloudControl better captures vcenter and ESXi administrative functions by providing better visibility into actions and attempted actions. CloudControl s granular, user-specific log records can be used for regulatory compliance, troubleshooting, and forensic analysis. HyTrust CloudControl records not only valid requests but also invalid attempts, which are critical for security purposes. Additionally, every request is tied to the identity of a specific user and all relevant information actual request, source IP, target IP, etc. is collected. With QTS, CloudControl is configured to feed log data directly to Splunk, their enterprise SIEM tool, further automating their security practices. Centralized Authentication: QTS is able to mitigate backdoor acess to ESXi hosts by centralizing authentication vcenter and ESXi hosts through CloudControl. Page 3

4 CASE STUD Exceptional Deployment and Customer Service Over and above the security capabilities enabled by CloudControl, QTS also experienced a smooth process for piloting the system, and for moving it into production. Further, the HyTrust technical team created a FedRAMP matrix that clearly explained how HyTrust helped QTS address 27 specific requirements of the FedRAMP guidelines (see appendix A for the full matrix.) As QTS expands their services, the company will look to implement additional HyTrust capabilities including Secondary Authorization (aka., the two-person rule). In most of the major breaches in 2013 and 2014, the compromise of an insider account was the initial point of entry into the network. Secondary authorization can ensure that sensitive actions such as deleting or copying a virtual machine require the approval of a manager or other authority. Alerts and automation are built into the process, so if approval is given, CloudControl will automatically proceed with the requested action. Conclusion In today s increasingly harsh security climate, Cloud Service Providers not only need to consider compliance, but also security. Administrative control and visibility is largely overlooked in most virtualized infrastructures, and QTS recognized the importance of filling this important security gap. Not only does this simplify compliance with FedRAMP, but the company also implemented these best practices with their commercial IaaS offering, which enables QTS to serve even highly securitysensitive customers. About HyTrust HyTrust is the Cloud Security Automation company. Its virtual appliances provide the essential foundation for cloud control, visibility, data security, management and compliance. HyTrust mitigates the risk of breach or catastrophic failure especially in light of the concentration of risk that occurs within virtualization and cloud environments. Organizations can now confidently take full advantage of the cloud, and even broaden deployment to mission-critical applications. The company is backed by top tier investors VMware, Cisco, Intel, In-Q-Tel, Fortinet, Granite Ventures, Trident Capital and Epic Ventures; its partners include VMware, VCE, Symantec, CA, McAfee, Splunk; HP Arcsight, Accuvant, RSA and Intel. For More Information To learn more about HyTrust, visit or contact us at Page 4

5 Appendix A Control No. Control Name HyTrust Implemented FedRAMP Control HyTrust Feature Description AC-2 AC-3 AC-3 (3) AC-4 AC-5 AC-6 AC-6 (2) AC-10 AC-16 AU-2 AU-3 AU-6 AU-8 (1) AU-10 AU-12 CA-7 CM-2 CM-3 CM-5 CM-6 CM-6 (3) CM-8 (3) IA-5 IA-5 (1) SC-5 SC-10 SI-3 Account Management Access Enforcement Access Enforcement Mandatory Access Control Information Flow Enforcement Separation Of Duties Least Privilege Least Privilege Non-Privileged Access For Nonsecurity Functions Concurrent Session Control Security Attributes Audit Events Content Of Audit Records Audit Review, Analysis, And Reporting Time Stamps Synchronization With Authoritative Time Source Non-Repudiation Audit Generation Continuous Monitoring Baseline Configuration Configuration Change Control Access Restrictions For Change Configuration Settings [Withdrawn: Incorporated Into Si-7]. Information System Component Inventory Automated Unauthorized Component Detection Authenticator Management Authenticator Management Password-Based Authentication Denial Of Service Protection Network Disconnect - *Added From Ac-12 Malicious Code Protection Two-Factor Auth, RPV, Infrastructure Segmentation, Secondary Approval RBAC, Secondary Approval RBAC Secondary Approval RBAC, Secondary Approval Security Template, RBAC, Secondary Approval Security Template Security Template Labeling, exportable to SIEM Two-Factor Authentication, Root Password Vaulting, Real Time Alerting RBAC, Real Time Alerting, Hypervisor Access Control by Protocol and IP Platform Integrity w/ Intel TXT Platform Integrity w/ Intel TXT and Hypervisor Access Control by Protocol and IP Page 5