www.vce.com HYTRUST SOLUTION FOR VBLOCK INFRASTRUCTURE PLATFORMS February 2012 2012 VCE Company, LLC. All Rights Reserved.
Contents Introduction... 3 Business Case... 3 Solution... 3 Key Benefits... 4 Scope... 4 Audience... 4 Feedback... 4 Technology Overview... 5 Vblock Infrastructure Platforms... 5 Balancing Convergence and Separation of Duties... 5 Security Ecosystem... 5 HyTrust Appliance... 5 Solution Architecture... 7 Overview... 7 Vblock Series 700 model MX... 7 Physical Architecture... 9 Logical Architecture... 10 Design Considerations... 11 Configuration... 12 Validation... 13 Overview... 13 Use Cases... 13 Use Case #1 Unified Authentication... 13 Use Case #2 Unified Authorization... 14 Use Case #3 Unified Logging... 14 Use Case #4 Redundant Operation... 15 Use Case #5 Enterprise Ready... 15 Use Case #6 RSA... 16 Use Case #7 Negative Testing... 16 Conclusion... 18 Appendix 1: Microsoft Active Directory Groups... 19 2012 VCE Company, LLC. All Rights Reserved. 2
Introduction Business Case Industry and government information technology (IT) compliance objectives and requirements exhibit common needs to control data access through authentication and authorization while protecting data integrity and confidentiality. Certain compliance authorities affect specific industries, such as Government (FISMA Certification and Accreditation (C&A) / FedRAMP), Banking (Basel III, OCC), Healthcare (HIPAA), and Utilities (FERC, NERC). Some requirements, such as PCI, SOX, and the EU Privacy Directive, are more horizontal, affecting a broad range of organizations. Driven by compliance concerns and the need for additional control in sensitive environments, organizations need granular administrative AAA (authentication, authorization, and accounting) traditionally lacking in large-scale virtual environments. Despite ongoing evolution and increasing complexity, today s compliance authorities call for strict RBAC (role-based access control) with detailed accountability of administrator actions. This is a challenging problem to solve in large-scale virtual environments. Converged infrastructures offer the compelling benefit of unified management but must also accommodate existing silos of human and technical resources and facilitate the separation of duties required for secure administration. Unfortunately, the converged nature of today s cloud computing solutions does not always accommodate existing IT organizational structures and policies. While converged infrastructures confer significant benefits through the unification of compute, network, storage, and management resources, they do not magically merge the IT departments responsible for managing them. Applications and data stores affected by the rise in compliance requirements are frequently businesscritical resources that require high availability and reliable application performance for example, credit card processing regulated by PCI. A successful IT solution for regulated applications must support an infrastructure with consistent and predictable service availability, reliability, and delivery. Solution VCE, the Virtual Computing Environment Company, has teamed up with HyTrust to provide a tightly coupled solution for applications in regulated environments. The VCE and HyTrust Solution combines Vblock Infrastructure Platforms and the HyTrust Appliance to integrate security, control, performance, and high availability in one package. This solution works on any Vblock Series 300 or Vblock Series 700, using the Vblock high-availability (HA) AMP or mini-amp. Vblock platforms utilize leading compute, storage, network, virtualization, and management components to provide enterprise class IT infrastructure that is pre-engineered, hardened, tested, and validated to provide defined performance, capacity, and availability for today s mission critical applications. Vblock platforms are built from Cisco, EMC, and VMware components, whose marketleading technologies include the virtual security products deployable with Vblock platforms. When combined with the HyTrust Appliance, Vblock platforms support the security technologies needed to meet today s compliance requirements. 2012 VCE Company, LLC. All Rights Reserved. 3
The Advanced Management Pod (AMP) used in Vblock platforms, a key component of this solution, offers the ideal architecture and traffic flows for using the HyTrust Appliance as a gateway for all administrative traffic. This network-based deep integration improves control and usability. The HyTrust Appliance described in this solution is designed to work as a security gateway for Vblock platform administrative network traffic, with support by design for all compute, IP and storage network, and virtualization components. The HyTrust Appliance is a virtual appliance that sits between your IT administrators and the IT infrastructure, permitting or denying interactive administrative requests according to the organization s defined security policies. The HyTrust Appliance bridges the gap between organization-wide and IT function driven administration through the use of centralized user administration and access control for both unified and component management interfaces. The VCE and HyTrust Solution provides a control layer on top of the high-performing Vblock platform, with granular control offering the advantages of unified management combined with direct, protected access by individual parts of the organization according to roles and policies. The combination of operational characteristics, security flexibility, and enhanced usability make the VCE and HyTrust Solution a superior choice for running regulated application workloads. Key Benefits Easy implementation of Separation of Duties and Least Privilege Centralized user administration - Authentication - Authorization Easy support for multi-factor authentication Enhanced audit logs Fine grain control over managed resources and attributes using RBAC Scope This document provides a high-level description of the VCE and HyTrust Solution, including business requirements, technology components, architecture, and use case validation. Audience This document is intended for IT and security administrators, managers, and directors deploying Vblock platforms with regulated application workloads. Feedback To suggest documentation changes and provide feedback on this paper, send e-mail to docfeedback@vce.com. Include the name of this paper, the name of the topic to which your comment applies, and your feedback. 2012 VCE Company, LLC. All Rights Reserved. 4
Technology Overview Vblock Infrastructure Platforms Vblock platforms by VCE are enterprise- and service provider class IT infrastructure built upon industry leading technology by Cisco, EMC, Intel, and VMware. Vblock platforms are pre-engineered, hardened, tested, and validated units that streamline IT infrastructure acquisition, deployment, and operations. By standardizing IT building blocks, VCE can dramatically simplify IT operations accelerating IT deployment while reducing costs and improving service levels for all workloads, including the most demanding critical enterprise applications. Customers who previously spent 70% or more of their IT budgets and staff time on maintaining infrastructure can focus on more strategic efforts that add value to the business or mission. Vblock platforms are architected and hardened according to each component s best practices and enterprise-grade business objectives. Strict design control enables Vblock platforms to meet specific performance and availability levels while maintaining a balanced, optimized, and easily managed converged infrastructure. Balancing Convergence and Separation of Duties VCE provides a balanced combination of the efficiencies of convergence and the separation of duties required to integrate with existing IT structures and security requirements. Vblock platforms provide convergence products like UIM to administer a Vblock platform as a unit, and they provide discrete management capabilities for IP and storage networking, compute, virtualization, and storage. For example, the Nexus 1000V allows the networking team to administer virtual networking with a familiar set of tools and interfaces without concentrating power beyond organizational tolerance levels. Security Ecosystem Cisco, EMC (including RSA, The Security Division of EMC), and VMware are three of the largest players in the virtual security and compliance arena. Vblock platforms can be deployed with virtually all of their security products, providing customers a rich bank of security resources to draw upon. Additionally, the VCE partner channel will support using the overwhelming majority of available security technologies with Vblock platforms, regardless of manufacturer. HyTrust Appliance The HyTrust Appliance (HTA) acts as a transparent management gateway for Vblock platforms, providing comprehensive security accountability and visibility. The HyTrust Appliance provides consistent control at the hypervisor layer to securely enable all access methods, including VMware vsphere Client, Web client, and Secure Shell (SSH). Its capabilities include: Secure Unified Account Management With the HyTrust Appliance you can manage all Vblock platform components using Microsoft Active Directory (AD) password authentication or RSA SecurID multi-factor authentication. Separation of Duties and Fine-grained Access Control The HyTrust Appliance allows you to define and enforce highly granular access policies for the Vblock platform virtual infrastructure by defining Groups, Policies, Rules, and Resources. Members of a 2012 VCE Company, LLC. All Rights Reserved. 5
particular Group can access resources as defined by centrally administered Rules governing security for Resources in the Vblock platform. For example, a rule can allow members of the HT_NetworkAdmin group to perform AddPortGroup and RemoveVirtualSwitch operations for a Resource like the vcenter server and all objects underlying it, such as the networking subsystem. (See also Appendix 1: Microsoft Active Directory Groups.) Support for Multi-Tenancy IT organizations can define controls for individual virtual machines (VM) within Vblock platforms to ensure separation of tenants in a multi-tenant environment or to support mixed mode environments where regulated and non-regulated applications share common infrastructure. Hypervisor Hardening Access to VMware vsphere hosts allows you to identify configuration errors using prebuilt assessment frameworks such as PCI DSS, CIS Benchmark, VMware Best Practices, or custom, user-defined templates. Without manual effort or scripts, the HyTrust Appliance proactively monitors hosts and simplifies configuration maintenance. Audit-quality Logging Granular, user-specific access logs streamline audits, troubleshooting, and forensic analysis. The HyTrust Appliance gives IT groups the ability to grant self-service audit administration to various internal organizations. Integrated by Design with Vblock Platforms The HyTrust Applianceprotects administrative access to Vblock platform components, including the UCS Manager (UCSM), Nexus 1000V and physical components running NX-OS, including MDS SAN switches. This integration enables unified account management of the converged infrastructure and provides a single point of logging administrative operations, which facilitates compliance. 2012 VCE Company, LLC. All Rights Reserved. 6
Solution Architecture Overview The HyTrust Appliance is a virtual appliance that deploys as a virtual machine on the VMware vsphere infrastructure. It relies on its position in the network to view IT management traffic and intercept management requests normally routed directly to Vblock platform management ports (such as UCSM, VMware vsphere ESXi console ports, and Nexus 5548 management ports). The HyTrust Appliance first authenticates and authorizes all users and the operations they want to perform and then passes on the request to the target. In addition, the HyTrust Appliance allows organizations to create and apply more granular access policies and perform ESX configuration management by applying and monitoring ESX compliance to custom-defined security templates and then remediating deficiencies and discrepancies. The Vblock Advanced Management Pod (AMP) is a self-contained management infrastructure that performs management and monitoring functions for the Vblock platform. The AMP hosts infrastructure management software such as VMware vcenter, UIM, and Vblock infrastructure element managers. Each Vblock platform includes either a mini-amp or high availability (HA) AMP. The mini-amp is based on a single rack mounted server and dual Cisco switches. The HA AMP uses redundant servers and switches, and redundancy for most applications and tools. This solution works on either the HA AMP or mini-amp. The AMP hosts the virtual machines used to support the management tools controlling the Vblock platform and its components. In order to avoid parent-child conflicts, the AMP is discrete from the core Vblock platform resources it supports. The AMP is also connected to the administrative interfaces of the components. Since administrative users either interact with resources in the AMP or connect directly to components through it, and since the AMP has the resources to host virtual HyTrust Appliances, we recommend you position the HyTrust Appliance on the AMP. Vblock Series 700 model MX The Vblock Series 700 model MX used to validate this solution combines Cisco s Unified Computing System (UCS), Nexus, and MDS compute and networking technologies with VMware s vsphere virtualization layer and the EMC VMAX series of unified storage arrays. The 700MX is deployed for massive scaling with ERP, CRM, and virtual desktops in configurations that are extensible to meet the most demanding IT requirements of any enterprises or service providers. It utilizes a SAN storage medium or a NAS (File) storage medium. UCS local boot disks are optional. The 700MX contains the following key hardware and software components: Table 1. Vblock Series 700 model MX hardware and software Resource Components Compute Cisco UCS B-Series Blades Cisco M81KR Virtual Interface Card converged network adapter Cisco UCS fabric interconnects (FI) 6140 Cisco UCS 5108 Blade Server chassis 2012 VCE Company, LLC. All Rights Reserved. 7
Resource Components Network Cisco Nexus 5548UP Series IP switches (optional: required for two compute cabinets unless you select a Cisco Nexus 7010 switch) Cisco Nexus 7010 switch (optional: requires two or more compute cabinets) Cisco Nexus 1000V VSM and VEM virtual switch Cisco MDS 9148 Multilayer Fabric Switch Cisco MDS 9506 Multilayer Director (optional) Cisco MDS 9513 Multilayer Director (optional) Storage EMC Symmetrix VMAX EMC Symmetrix Data at Rest Encryption (DARE) (optional) Virtualization VMware vsphere 5: VMware ESXi and vcenter Server Management EMC PowerPath/VE Cisco UCS Manager EMC Ionix Unified Infrastructure Manager (UIM) EMC Secure Remote Support (ESRS) on Windows EMC Symmetrix Management Console (SMC) on Windows EMC Symmetrix Performance Analyzer (SPA) on Windows VMware vsphere Server Enterprise Plus Note: This solution works on any Vblock Series 300 or Vblock Series 700, using the HA AMP or mini-amp.. 2012 VCE Company, LLC. All Rights Reserved. 8
Figure 1. Vblock Series 700 model MX and mini-amp. Physical Architecture Vblock platforms include an AMP. The AMP provides a single management point for Vblock platforms and provides the following benefits: Monitors and manages Vblock platform health, performance, and capacity Provides fault isolation for management 2012 VCE Company, LLC. All Rights Reserved. 9
Eliminates resource overhead on the Vblock platform Provides a clear demarcation point for remote operations The AMP contains these physical components: One Cisco 3560x Ethernet Switch One Cisco C200 Rack Mounted Server running VMware ESXi 5 (48 GB RAM and 4 TB of storage) You can deploy the following tools in the AMP to manage Vblock platforms: Cisco Unified Computing System Manager (UCSM) Cisco Virtual Supervisor Module (VSM) VMware vcenter 5 Windows 2008R2 Servers deployed for various purposes including Microsoft Domain Controller with Active Directory Services, utility host/management servers HyTrust Appliance Note: This list is not exhaustive and only contains a listing of element managers that are accessed through the HyTrust Appliance. Logical Architecture The AMP switch and ESXi host with VMware vswitch have the following VLANs defined: VLAN 101: The management interfaces for the Cisco Nexus 5548UP, Cisco MDS 9148, vcenter Server, and ESXi console reside here. VLAN 104: The UCSM interface is accessible through this VLAN. VLAN 105: The Nexus 1000V VSM management interface resides here. VLAN 206: This VLAN hosts management tools such as SNMP receptors, syslog servers, and utility hosts. The HyTrust Appliance is deployed in Router mode. In Router mode the appliance sits between the source network of the management traffic and the target systems. This is accomplished by putting virtual interfaces on two different VLANs. In this solution, we used one interface on VLAN 206 and one on VLAN 101. There is also a static route on the ESXi host that sends traffic destined for VLAN 206 to the HyTrust Appliance interface that sits on VLAN 101. This is important to ensure that no one can circumvent the HyTrust Appliance. Additionally, access restrictions exist on the individual element managers and network control points, which limits the source of management traffic to the HyTrust Appliance. This environment is depicted in Figure 2. 2012 VCE Company, LLC. All Rights Reserved. 10
Figure 2. VCE and HyTrust Solution management environment Design Considerations This solution follows the best practices for both Vblock platforms and the HyTrust Appliance to improve usability and compliance: We required that all administrative traffic from outside the Vblock platform use a utility server in the AMP. We used a 700MX with the AMP using the HyTrust Appliance 2.5.2 configured in the routing mode and residing on the AMP. We routed all management network traffic through the HyTrust Appliance. 2012 VCE Company, LLC. All Rights Reserved. 11
We used a mixed environment consisting of UCSM 1.4 U3, Nexus 1000V, Nexus 5000 series, MDS 9000 series, VMware vsphere vcenter 5.0, VMware ESXi 5.0 all protected by the HyTrust Appliance. We configured the HyTrust Appliance in Directory Services mode, using unified authentication to a central Active Directory service. Configuration The following steps provide an overview of the HyTrust Appliance (HTA) installation and configuration: 1. Review ESXi host and other system and environment prerequisites for installing and using HTA. 2. Add additional VLANs not installed during Vblock platform logical build. 3. Convert the HyTrust Appliance to Directory Services mode to ensure integration with a corporate user/account directory, such as Microsoft AD. You do not need to configure individual components to work with AD. 4. Install (import) HTA as a VMware ESX VM. Confirm that the network adapter(s) are properly configured and connected. After editing the necessary settings, turn on the HTA virtual machine. 5. Run Setup and the Install Wizard. 6. Optionally, set up the HTA vcenter Plugin, which allows you to perform HTA operations directly from vsphere Client accessing a vcenter server. You can use the HTA Management Console Web application, as well. 7. Add vcenter Servers, ESX hosts, Nexus 1000V switches, UCSM, and Cisco Nexus 5000 and 7000 series switches to be managed and protected by the HTA. 8. Define Rules and deploy Policy to activate protection for the virtual infrastructure. The following steps provide an overview of the Vblock platform configuration necessary to support the HyTrust Appliance: 1. Add a static route to the ESXi host in the AMP to ensure proper traffic flow. 2. Configure all HyTrust managed devices to log to a centralized log server in the AMP. 3. Add SNMP traps from HyTrust managed devices to a centralized SNMP trap receptor. 4. Restrict access to the IP of the HTA on the systems to be administered through HyTrust. 5. Configure all devices for Network Time Protocol (NTP). 6. Build Microsoft AD groups and users. 2012 VCE Company, LLC. All Rights Reserved. 12
Validation Overview Validation comprised simple tests for seven discrete use cases designed to show that the VCE and HyTrust Solution provides enterprises a high availability security gateway that provides: Easy integration with Vblock platforms Fine-grained control of authentication and authorization Enhanced audit logging Compatibility with RSA SecurID security technologies. To validate these use cases, we performed the following tests: Use Case #1 Unified Authentication Verify the ability to centrally configure authentication using HyTrust and Microsoft Active Directory. Use Case #2 Unified Authorization Verify the ability to manage authorization by both protected system and by role. Use Case #3 Unified Logging Verify the ability to create enhanced audit logs. Use Case #4 Redundant Operation Verify that HyTrust Appliance ensures service availability after a component failure. Use Case #5 Enterprise Ready Verify the ability of the HyTrust Appliance to interoperate with select management and monitoring technologies. Use Case #6 RSA Verify that RSA SecurID tokens can be used to authenticate administrative traffic directed through the HyTrust Appliance. Use Case #7 Negative Testing Verify that the HyTrust appliance in this solution cannot be trivially bypassed by users connecting from outside the management plane. Use Cases Use Case #1 Unified Authentication Procedure Verify the ability to centrally configure authentication using HyTrust and Microsoft Active Directory. 1. We used default HTA policy for full access (Default SuperAdmin rule). 2. We added an AD-provisioned user to an AD group with full access privileges. 2012 VCE Company, LLC. All Rights Reserved. 13
3. We used this account to authenticate to AD and gain access to all the elements of the infrastructure (vsphere, Nexus 1000V, Nexus 5000, MDS, UCSM), even though no local accounts were provisioned in those modules. 4. We verified that authentication and login operations were captured by the HyTrust log. Results The log files and SNMP traps successfully demonstrated the unified authentication of the AMP-based Vblock platform element managers. Additionally, since no logical connection existed between AD and the individual network components, it was not possible for an AD account to have been authenticated in this environment without going through the HyTrust Appliance. Use Case #2 Unified Authorization Verify the ability to manage authorization by both protected system and by role. Procedure 1. We used a default HyTrust Appliance policy for managing networking (Default NetworkAdmin rule) 2. We added an AD provisioned user to an AD group with network management privileges. 3. We verified that the user was able to connect to vsphere and see network systems, but was blocked from creating a virtual machine or modifying the vcenter syslog setting. Unauthorized operations were correctly logged by HyTrust Appliance with WARN level. 4. We created an additional policy that blocked access to MDS switches for all users except SuperAdmins (we applied a RuleSet SuperAdmin Only to the two MDS switches). 5. We verified that the user who was the only member of the group with network privileges was blocked from accessing the MDS, but was still able to access the Nexus 1000V VSM. All the activity, including new policy creation and authorized and blocked access, appeared in the log. Results This use case uses the same AD account we created in use case #1 to perform functions requiring administrative level access. Since only the AD account associated with the HyTrust SuperAdmin role had the proper privileges, the other account could not perform admin level tasks. All attempts to make changes were logged on the syslog server and successfully demonstrated the unified authorization provided by the VCE and HyTrust Solution. Use Case #3 Unified Logging Verify the ability to create enhanced audit logs. Procedure While validating the previous two use cases we confirmed: 2012 VCE Company, LLC. All Rights Reserved. 14
1. Authentication is correctly logged for all the different modules. 2. All authorized operations are correctly logged with users correctly attributed and other pertinent details present (source IP, operation and so forth). 3. All blocked operations are correctly logged with users correctly attributed and information about why the operation was not authorized. Results Use cases #1 and #2 both created significant, detailed logs. The log files showed which user attempted changes, which changes were attempted, and what action originated from the HyTrust Appliance (Deny or Allow). The events were time stamped, and we cross-validated the HyTrust Appliance and the syslog server logs. Use Case #4 Redundant Operation Verify that HyTrust Appliance ensures service availability after a component failure. This test was performed at another location since the AMP in the primary test facility was not configured for HA operation. Procedure 1. We set up the HyTrust Appliance in high availability mode with two redundant instances of the virtual appliance residing on two separate ESXi servers, and we configured the failover period to be one minute. 2. We verified that UCS management sessions and vsphere management sessions were correctly authorized. 3. We made the primary instance of the HyTrust Appliance unavailable by disconnecting it from the network. 4. We verified that the failover event was correctly logged in the syslog server. 5. We verified that after two minutes, UCS management sessions and vsphere management sessions were correctly authorized (now by the failover node). Results This use case demonstrated that customers can operate the HyTrust Appliance in high availability mode in Vblock platforms configured with HA-AMP. Use Case #5 Enterprise Ready Verify the ability of the HyTrust Appliance to interoperate with select management and monitoring technologies. 2012 VCE Company, LLC. All Rights Reserved. 15
Procedure 1. We configured HyTrust Appliance to output logs to the external syslog server and used the HyTrust Appliance to configure a protected ESXi to output native logs to the same external syslog server. We verified that both the HyTrust Appliance and ESXi logs correctly appeared in the syslog server and could be identified by the source. 2. We configured a custom template in the HyTrust Appliance and applied it to the protected ESXi, thereby forcing the protected ESXi to use the correct corporate NTP server. 3. We configured the HyTrust Appliance for monitoring using SNMP, triggered the SNMP trap by manually restarting SOAP proxy, and verified that the SNMP trap was captured by the SNMP server. Results This use case confirmed that several essential monitoring protocols function as expected. The HyTrust Appliance can be monitored by SIEM/log management platforms and traditional network management systems. Further, the timestamps for log activity are reliable, coming both from the HyTrust Appliance and directly from the ESXi systems managed through the HyTrust Appliance. In addition, as validated in use cases #1 and #2, the HyTrust Appliance interoperates extensively with Microsoft AD. Use Case #6 RSA Verify that RSA SecurID tokens can be used to authenticate administrative traffic directed through the HyTrust Appliance. Procedure 1. We configured the HyTrust Appliance to require users to log in with RSA SecurID tokens. 2. Once RSA SecurID was successfully enabled, an updated login screen was displayed on the HyTrust Appliance management console. 3. To log in to VMware vcenter Management Console, we had to use the RSA PIN concatenated with the RSA token value. Log in without the RSA token or with an incorrect RSA token was not allowed. Results This use case validated two-factor authentication for Vblock platforms. The logs demonstrated successful and unsuccessful attempts at logins. This combination of the HyTrust Appliance, RSA SecurID and Vblock platforms fulfills a major requirement in meeting today s compliance objectives with two-factor authentication. The VCE and HyTrust Solution offers a single authentication strategy for all Vblock platform components, with central auditing and troubleshooting. Use Case #7 Negative Testing Verify that the HyTrust appliance in this solution cannot be trivially bypassed by users connecting from outside the management plane. 2012 VCE Company, LLC. All Rights Reserved. 16
Procedure We attempted to log in to a protected ESXi with a real root account. Access was properly denied and the denial logged. Results By using the ESXi 5 firewall and only allowing management connections on port 22 from the HyTrust Appliance, we were able to verify that the proxy cannot be bypassed by demonstrating that login attempts from other sources were denied. This effectively prevented outside log-ins to bypass HyTrust Appliance security. In addition, the HyTrust Appliance configures the ESXi host by default to disallow login with a locally defined account, specifically the root login, thus preventing direct console and network access. Instead, users can log in with their own credentials and have their privileges elevated to root or administrative level. 2012 VCE Company, LLC. All Rights Reserved. 17
Conclusion IT organizations are struggling to keep up with rising public and private regulatory requirements, and many converged infrastructure approaches to the problem ignore the complexities of balancing unified management with granular control for different groups in the IT organization. The VCE and HyTrust Solution simultaneously enhances both converged and distributed management, while providing the best in application high availability and performance. This solution creates a common AAA platform with the HyTrust Appliance, giving the security and operations teams better visibility and access, while at the same time simplifying access and role enforcement for the more narrowly focused parts of the organization. This increases consistency in authentication and authorization and allows better control over what other groups can do in their specialty area. The end result is the simplified management and monitoring of administrative users promised by convergence, coupled with direct-yet-protected access to native administration interfaces. The simplified management and enhanced monitoring capabilities, in turn, reduce operational costs and help you address your access and authorization-related compliance objectives. Vblock platforms comprise market leading components from Cisco, EMC, Intel, and VMware bound together with careful testing and tailored tools. The result is a more tightly integrated offering with excellent and predicable application performance in a pre-hardened package. With HyTrust, the premier security solution for virtualized environments, the VCE and HyTrust Solution introduces another market leading component that reduces complexity while reinforcing VCE s commitment to application security in the virtualized IT space. With proven technologies at the core, tight integration to support consistent configurations, advanced security functionality throughout HyTrust and Vblock platforms, and an immense family of security and compliance technologies, the VCE and HyTrust Solution presents the most comprehensive security offering in the converged infrastructure market. Next Steps To learn more about this and other solutions, contact a VCE representative or visit www.vce.com. 2012 VCE Company, LLC. All Rights Reserved. 18
Appendix 1: Microsoft Active Directory Groups AD Group Name HyTrust Role Description of Role and Associated Privileges HT_ApplAdmin HTA Administrator (ApplAdmin) Install HTA and perform HTA configuration tasks: Configure networking Configure high availability Configure logging No privileges to manipulate virtual infrastructure HT_ARCAdmin ARC Administrator (ARCAdmin) Create and modify ARC templates, add ARC targets, assess and remediate ARC. HT_ARCAssessor ARC Assessor (ARCAssessor) Perform ARC assessments and view ARC results. HT_BackupAdmin Backup Administrator (BackupAdmin) Backup and restore virtual machines (guests). HT_BasicLogin Basic Login (BasicLogin) Perform some basic operations like login. HT_CoreApplAdmin HT_DCAdmin HT_ESXMAdmin HT_FedAdmin HT_NetworkAdmin Core Appliance Administrator (CoreApplAdmin) Datacenter Administrator (DCAdmin) ESX Maintenance Administrator (ESXMAdmin) Federation Administrator (FedAdmin) Network Administrator (NetworkAdmin) Install and configure core appliance VMs. Set up VMware vcenter datacenters and perform actions on all objects within virtual data centers. Install patches, change configuration of ESX, reboot ESX hosts. Perform ESX/ESXi host maintenance (use SSH, change configuration, reboot). Perform HTA configuration, assessment, and remediation (ARC). No virtual machine privileges. Perform federation administration and manage global objects. Manage virtual switches, VLANs, and other network configuration settings. HT_PolicyAdmin Policy Administrator (PolicyAdmin) Create and modify policies, labels, and constraints. HT_RoleAdmin Role Administrator (RoleAdmin) Create and modify roles and privileges. 2012 VCE Company, LLC. All Rights Reserved. 19
AD Group Name HyTrust Role Description of Role and Associated Privileges HT_StorageAdmin HT_SuperAdmin HT_VIAdmin Storage Administrator (StorageAdmin) Super-user Administrator (SuperAdmin) Virtual Infrastructure Administrator (VIAdmin) Define VMFS volumes and mapping to LUNs including masking and zoning. Privileges also provided to: Define iscsi access paths. Manage NFS volumes. Manage HSM and data retention. Administer storage (disk replacement). Manage backup. Perform any action (assigned all privileges). Perform operations on virtual infrastructure. Configure DRS and VMware HA. Initiate VMotion. Assign hosts to resource pools. Limited privileges on ESX hosts. HT_UCSLogin Cisco UCS Login (UCSLogin) Access and operations with UCSM. HT_VMPowerUser Virtual Machine Power User (VMPowerUser) Perform actions on virtual machines and resource objects. Role members may view and change most virtual machine configuration settings, take snapshots, and schedule tasks. Privileges include: All privileges for scheduled task privileges group. Selected privileges for global items, datastore, and virtual machine privileges groups. No privileges for folder, datacenter, network, host, resource, alarms, sessions, performance, and permissions privileges groups. HT_VMUser Virtual Machine User (VMUser) This role is equivalent to the role with the same name defined in VirtualCenter 1.x. Role members may interact with virtual machines, but not change, the virtual machine configuration. Privileges include: All privileges for the scheduled tasks privileges group. Selected privileges for the global items and virtual machine privileges groups. No privileges for the folder, datacenter, data store, network, host, resource, alarms, sessions, performance, and permissions privileges groups. 2012 VCE Company, LLC. All Rights Reserved. 20
ABOUT VCE VCE, the Virtual Computing Environment Company formed by Cisco and EMC with investments from VMware and Intel, accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE, through the Vblock platform, delivers the industry's first completely integrated IT offering with end-to-end vendor accountability. VCE's prepackaged solutions are available through an extensive partner network, and cover horizontal applications, vertical industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating and managing IT infrastructure. For more information, go to www.vce.com. ABOUT HYTRUST HyTrust, headquartered in Mountain View, CA, is the leader in policy management and access control for virtual infrastructure. HyTrust empowers organizations to virtualize more including servers that may be subject to compliance by delivering enterprise-class controls for access, accountability, and visibility to their existing virtualization infrastructure. The company is backed by top tier investors Granite Ventures, Cisco Systems, Trident Capital, and Epic Ventures; its partners include VMware, Symantec, CA, RSA, and Intel Corporation. For more information, go to www.hytrust.com. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." VCE MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OR MERCHANTABILITY OR MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright 2012 VCE Company, LLC. All rights reserved. Vblock and the VCE logo are registered trademarks or trademarks of VCE Company, LLC. and/or its affiliates in the United States or other countries. All other trademarks used herein are the property of their respective owners. 2012 VCE Company, LLC. All Rights Reserved.