H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments



Similar documents
Drawbacks to Traditional Approaches When Securing Cloud Environments

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

Can You be HIPAA/HITECH Compliant in the Cloud?

How to Achieve Operational Assurance in Your Private Cloud

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

CloudControl Support for PCI DSS 3.0

WHITE PAPER August A Practical Guide to HIPAA-Compliant Virtualization

PICO Compliance Audit - A Quick Guide to Virtualization

A Practical Guide to HIPAA-Compliant Virtualization

A practical guide to HIPAAcompliant

Cloud Under Control: How to Virtualize More by Virtualizing More Securely

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Closing the cloud and virtualization gap

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Effective End-to-End Cloud Security

Protect Root Abuse privilege on Hypervisor (Cloud Security)

Business Values of Network and Security Virtualization

Agentless Security for VMware Virtual Data Centers and Cloud

Control your corner of the cloud.

Network Access Control in Virtual Environments. Technical Note

Secure Administration of Virtualization - A Checklist ofVRATECH

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Making Data Security The Foundation Of Your Virtualization Infrastructure

What are your firm s plans to adopt x86 server virtualization? Not interested

VMware vcloud Networking and Security

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

Securing Virtual Applications and Servers

A Look at the New Converged Data Center

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

Trend Micro Deep Security

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

How To Protect Virtualized Data From Security Threats

Security Virtual Infrastructure - Cloud

How To Protect Your Cloud From Attack

How+Cloud+Service+Providers+Can Use+Data+Security+to+Win+Customers!

Healthcare: La sicurezza nel Cloud October 18, IBM Corporation

STREAM FRBC

Overcoming Security Challenges to Virtualize Internet-facing Applications

Mitigating Information Security Risks of Virtualization Technologies

Best Practices for PCI DSS V3.0 Network Security Compliance

Virtualization Impact on Compliance and Audit

VMware vcloud Air Security TECHNICAL WHITE PAPER

Mirantis OpenStack Express: Security White Paper

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments

Simplify IT. With Cisco Application Centric Infrastructure. Roberto Barrera VERSION May, 2015

Enabling Database-as-a-Service (DBaaS) within Enterprises or Cloud Offerings

Logging and Alerting for the Cloud

CA ControlMinder for Virtual Environments May 2012

PCI DSS 3.0 Compliance

Virtual Compliance In The VMware Automated Data Center

managing the risks of virtualization

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

PROTECTED CLOUDS: Symantec solutions for consuming, building, or extending into the cloud

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Total Cloud Protection

Virtualization Under Control: How to Virtualize More by Virtualizing More Securely

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Learn the essentials of virtualization security

Private Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Securing the Journey to the Private Cloud. Dominique Dessy RSA, the Security Division of EMC

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Cloud Security. Are you on the train or the tracks? ISSA CISO Executive Forum April 18, Brian Grayek CISSP, CCSK, ITILv3

HyTrust Addendum to the VMware Product Applicability Guide. For. Federal Risk and Authorization Management Program (FedRAMP) version 1.

An Evaluation Framework for Selecting an Enterprise Cloud Provider

CloudCheck Compliance Certification Program

EMC ENCRYPTION AS A SERVICE

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Addressing PCI Compliance

Virtualization Security and Best Practices. Rob Randell, CISSP Senior Security Specialist SE

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Security Controls for the Autodesk 360 Managed Services

The Cloud, Virtualization, and Security

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Hadoop as a Service. VMware vcloud Automation Center & Big Data Extension

Tenable Webcast Summary Managing Vulnerabilities in Virtualized and Cloud-based Deployments

how can I virtualize my mission-critical servers while maintaining or improving security?

Achieving PCI-Compliance through Cyberoam

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

vsphere Replication for Disaster Recovery to Cloud

Virtualization Security Checklist

VMware vcloud Networking and Security Overview

Cloud Security with Stackato

Top 10 Reasons You Need Encryption

From Secure Virtualization to Secure Private Clouds

Transcription:

H Y T RUST: S OLUTION B RIEF Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Summary A private cloud with multiple tenants such as business units of an enterprise or customers of a cloud service provider sharing virtualized computing resources offers a potentially high ROI to all parties. To achieve the financial promise of multi-tenant private clouds, the costly practice of air gapping servers and network segments must be replaced with logical segmentation and strong virtual infrastructure access controls. By default, VMware vsphere privileged users have powerful privileges that undermine workload isolation, and neither the virtualization platform nor traditional security measures overcome this vulnerability. HyTrust solves these problems by enforcing access control policies for vsphere users and encrypting virtualized resources, effectively segmenting virtual networks and thoroughly isolating each tenant s critical applications and data. Enterprises can now accelerate adoption of private clouds and increase profitability without risking unauthorized user access to any tenant s workloads. HyTrust: Cloud Under Control HyTrust has become the de facto standard for access control, logging, and policy enforcement in VMware environments. By filling gaps in virtual infrastructure security and compliance, HyTrust gives enterprises the assurance they need to virtualize their mission critical applications, implement private clouds, pass security audits, and reap the financial benefits of increased virtualization. HyTrust CloudControl enforces role-based and assetbased policies covering VMware privileged users, virtual resources, and management interfaces. It also secures the vsphere platform and virtualized workloads by providing virtual network segmentation; comprehensive, audit-quality access logs; strong authentication; and virtual infrastructure hardening. HyTrust DataControl provides strong encryption and integrated key management for virtual machines from the time they are created until they are securely decommissioned. Cloud Under Control 1

YOUR CHALLENGE Interest in private and hybrid cloud adoption is surging because clouds offer large operational and financial benefits. By sharing application, compute, and network resources in a virtualized environment, business units and cloud service providers(csp)can boost IT speed and efficiency, business agility, resource utilization, and profitability. To achieve these benefits without taking on unmitigated risks, cloud tenants critical applications and confidential data must be as secure and compliant as they have been in the traditional data center. In particular, every tenant s workloads must be completely isolated from every other tenant s workloads and administrators. To use a VMware expression, the cloud provider must prevent nosy neighbors from tampering with any tenant s virtualized assets. Putting air gaps between servers and network segments was once an effective way of isolating critical applications. Today, air gapping s poor resource utilization would take an unacceptably large bite out of the ROI of a multi-tenant private cloud. The economics of the cloud require highly efficient logical segmentation and isolation of tenant workloads. The dynamic nature of cloud environments also requires that logical segmentation be policybased and automated. Effectively isolating workloads in the cloud requires: Preventing unauthorized communications between one cloud tenant s virtual machines (VMs) and virtual networks and any other tenant s resources. Preventing any tenant s vsphere privileged users from either exposing their own workloads to others (accidentally or intentionally) or gaining unauthorized access to another tenant s workloads. Logging all virtual infrastructure administrative activity per tenant to ensure compliance Providing granular encryption to secure the data at rest Cloud Under Control 2

A major challenge for cloud architects is that the vsphere platform doesn t provide the access control and infrastructure segmentation granularity that are essential for isolating critical workloads. vsphere users typically have extensive administrative privileges that allow them to conduct high impact operations on other tenants virtual resources. For example, an administrator can connect one tenant s virtual network to another s, a major vulnerability and compliance violation for most enterprises. The virtualization platform cannot automatically enforce policies limiting user access to specific resources in multi-tenant environments. In addition, vsphere users can act anonymously by sharing a root account or by using a management interface that does not log their activity, such as an SSH direct-to-host connection. An administrator can clone a VM holding another tenant s sensitive data, for instance, knowing that the action can t be traced back to them. Enterprise cloud owners and CSPs must be able to monitor and record each vsphere user s activity at all times in order to ensure accountability and prove compliance with regulations. Like the virtualization platform, traditional firewalls do not mitigate these visibility and control risks. In particular, they don t ensure tenant-level segmentation of network and other virtualized resources as well as access management. THE HYTRUST SOLUTION HyTrust makes secure multi-tenancy possible by closing gaps in virtual infrastructure access control, network segmentation, and logging, as well as adding critical data security through encryption. By doing so, it fulfills the requirements for effective workload isolation preventing unauthorized communications, preventing unauthorized access, and logging all administrative activity described above. Enterprises can now move forward with private and hybrid cloud adoption plans knowing that their critical applications and data are truly isolated from other tenants users and virtual environments. Cloud Under Control 3

HyTrust CloudControl labels each tenant s virtualized resources and enforces policies based on those labels to ensure strict isolation of each tenant s resources HyTrust CloudControl sits between vsphere privileged users and all management interfaces to the virtualization infrastructure. From this central vantage point, it intercepts and logs all administrative requests and enforces role- and resource-based policies that protect workloads from unauthorized access. If a vsphere network administrator attempts to connect any VM to an inappropriate network segment, HyTrust CloudControl will deny the request. If an administrator tries to move a PCI VM from a cluster meant for PCI regulated workloads to a non-pci cluster, HyTrust CloudControl will deny the attempt. Cloud Under Control 4

HyTrust CloudControl s fine grained policies can prevent any vsphere user other than a tenant s own users from conducting any operations on the tenant s VMs. In addition, virtual asset-specific controls can protect individual workloads from isolation-breaking acts. Through a unique method of labeling virtual assets and enforcing policies governing changes to those assets, HyTrust CloudControl allows multiple entities to have complete control over their own slices of the infrastructure without compromising the integrity of their neighbors workloads. If an administrator attempts an operation on a PCI Virtual Machine such as reconfiguring the network to a non-pci network HyTrust CloudControl denies the attempt based on the virtual machine s attributes. HyTrust CloudControl s logging remedies several virtualization platform weaknesses. It centrally records every action attempted by every vsphere user of every tenant conducted through any management interface. HyTrust logs contain considerably more detail than platform logs, including source IP addresses and records of failed and denied attempts. Most importantly, HyTrust CloudControl establishes accountability and a dependable audit trail by tying every record to the unique ID of the user who attempted the operation. Resource labeling enables HyTrust to log the tenant and virtualized resource associated with every request. Enterprises and CSPs can use the data to create per-tenant and per-asset Cloud Under Control 5

reports. This information can be essential for compliance with the specific logging requirements of major regulations and can make incident response, forensic analysis, and audit support much faster and more efficient. HyTrust DataControl addresses another critical area of concern in shared infrastructure: the security of the data itself. Virtual machines are dynamic and highly mobile. They are also easily replicated and copied, so it is critical that that the data they contain is only accessible to those who need to see it. HyTrust encryption is operationally transparent, and automatically detects if hardware acceleration (AES-NI) is available, ensuring hardware encryption speeds. HyTrust s policy-based key management is easy to deploy and use. Most HyTrust customers prefer to keep key management in house, but HyTrust s hardened virtual appliance can also be deployed in high-availability configuration in the cloud. With HyTrust, enterprises and CSPs can run mission critical workloads in multi-tenant environments without concerns about nosy neighbors breaching their security or causing compliance violations. They can dispense with costly air gapping and close the functionality gaps that prevent the virtualization platform from providing strict workload isolation. Most importantly, they can achieve the operational agility, cost savings, and ROI available from the cloud without taking on unacceptable risks. For more information on how HyTrust enables greater virtualization of workloads that must stay compliant, visit www.hytrust.com, email questions to sales@hytrust.com, or call HyTrust at 650-681-8100 for a free consultation. Cloud Under Control 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information