QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud



Similar documents
How to Achieve Operational Assurance in Your Private Cloud

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Protect Root Abuse privilege on Hypervisor (Cloud Security)

Can You be HIPAA/HITECH Compliant in the Cloud?

HyTrust Addendum to the VMware Product Applicability Guide. For. Federal Risk and Authorization Management Program (FedRAMP) version 1.

CloudControl Support for PCI DSS 3.0

FISMA / NIST REVISION 3 COMPLIANCE

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

VMware Integrated Partner Solutions for Networking and Security

Drawbacks to Traditional Approaches When Securing Cloud Environments

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

PICO Compliance Audit - A Quick Guide to Virtualization

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Trusted Geolocation in The Cloud Technical Demonstration

Control your corner of the cloud.

CA ControlMinder for Virtual Environments May 2012

Network Segmentation in Virtualized Environments B E S T P R A C T I C E S

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Safeguarding the cloud with IBM Dynamic Cloud Security

Security Virtual Infrastructure - Cloud

Mitigating Information Security Risks of Virtualization Technologies

Building Trust and Compliance in the Cloud with Intel Trusted Execution Technology

Virtualization Security Checklist

Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) An Assessment of Cyber-Ark's Solutions

Symantec and VMware: Virtualizing Business Critical Applications with Confidence WHITE PAPER

Hardening and Hacking vsphere and Private Cloud Everything you need to know about vsphere Security

EMA Radar for Private Cloud Platforms: Q1 2013

GoodData Corporation Security White Paper

GE Measurement & Control. Cyber Security for NEI 08-09

RSA Security Solutions for Virtualization

The Top 8 Questions to ask about Virtualization in a PCI Environment

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Index. BIOS rootkit, 119 Broad network access, 107

Secure Administration of Virtualization - A Checklist ofVRATECH

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Seven Things To Consider When Evaluating Privileged Account Security Solutions

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

can you improve service quality and availability while optimizing operations on VCE Vblock Systems?

IP Address Management: Smoothing the Way to Cloud-Based Services

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

HYTRUST SOLUTION FOR VBLOCK INFRASTRUCTURE PLATFORMS

IBM Security Privileged Identity Manager helps prevent insider threats

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

Patch Management. Module VMware Inc. All rights reserved

Seven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS

VMware vcloud Director for Service Providers

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS

PREVENTING DATA LOSS THROUGH PRIVILEGED ACCESS CHANNELS

Alliance Key Manager Solution Brief

Securing Remote Vendor Access with Privileged Account Security

Vyatta Network OS for Network Virtualization

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

SIMPLIFYING AND AUTOMATING MANAGEMENT ACROSS VIRTUALIZED/CLOUD-BASED INFRASTRUCTURES

LEVERAGE VBLOCK SYSTEMS FOR Esri s ArcGIS SYSTEM

Citrix XenServer 7 Feature Matrix

Overview of NetFlow NetFlow and ITSG-33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

Netzwerkvirtualisierung? Aber mit Sicherheit!

Security Issues in Cloud Computing

PCI Compliance for Cloud Applications

Technical Brief: Virtualization

HyTrust Appliance Administration Guide

HP Server Automation Standard

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

A Look at the New Converged Data Center

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

VMware vcloud Air Security TECHNICAL WHITE PAPER

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

FISMA NIST (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards

Achieving PCI-Compliance through Cyberoam

VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

Comprehensive security platform for physical, virtual, and cloud servers

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

PowerBroker for Windows

Virtual Compliance In The VMware Automated Data Center

Network Access Control in Virtual Environments. Technical Note

Seeing Though the Clouds

Understanding Enterprise Cloud Governance

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

VMware Solution Guide for. Payment Card Industry (PCI) September v1.3

BEST PRACTICES. DMZ Virtualization with VMware Infrastructure

Transcription:

CASE STUD QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud The technology and expertise provided by HyTrust dramatically simplified the process of preparing for our FedRAMP certification. HyTrust added key administrative control and visibility into our virtual infrastructure, along with comprehensive and granular auditing. I wish deployments with all vendors went as smoothly as ours did with HyTrust. - Randall Poole, VP Cloud Services About QTS QTS has built a national portfolio of world-class data centers supported by best-in-class technology, infrastructure, and equipment as the foundation for their services. QTS owns, operates and manages facilities coast-to-coast encompassing approximately 4.7 million square feet of secure, state-of-the-art data center infrastructure supporting more than 850 customers. Their robust, redundant, fiber-rich facilities are strategically located in or near many of the nation s most important data center markets. In late 2012, QTS began an initiative to expand their business, adding two key cloud Infrastructure as a Service (IaaS) offerings: one targeted for commercial enterprises, and one for government, which would be FedRAMP certified. The Challenge QTS was building four VMware-based virtualized datacenters that would support their cloud offerings. QTS recognized that virtualized infrastructure Page 1

CASE STUD requires different security. Because virtualization and cloud infrastructure collapse applications, network and storage into a single software layer, administrators of this environment typically have very broad privileges. QTS understood this concentration of risk, and wanted to achieve the tightest security possible for their employees, and their customers. The company also wanted to enhance their security posture and offerings for commercial customers, and ensure their environment would achieve FedRAMP compliance. QTS chose HyTrust to provide these additional layers of administrative control and visibility: Predictive protection to improve controls over what administrators can and can t do Better isolation and compartmentalization within their mission critical and highly regulated virtual infrastructure Proactive increase in virtualization hardening, security posture and auditing Reduced risk of data center downtime, or destruction of data/intellectual property Securing the Next-Generation Datacenter with HyTrust QTS built out four new datacenter environments to support their cloud initiatives. The underlying hardware includes Cisco UCS servers with EMC storage and leveraging VMware for server virtualization. Two datacenters are allocated for a fully redundant, high availability and FedRAMP-compliant cloud, and the other two for a highly secure commercial cloud offering. HyTrust Improves Security, Simplifies FedRAMP Compliance HyTrust CloudControl is a virtual appliance deployed as a control point between administrative traffic from all protocols, including VIC, SSH or a web UI, and vcenter and ESXi hosts. CloudControl added a number of capabilities that were critical for FedRAMP compliance, including: Page 2

CASE STUD Platform hardening: HyTrust CloudControl offers a range of templates that are used to harden the hypervisor. If the platform drifts from these recommended settings, CloudControl will automatically notify the appropriate administrator and reset the platform according to the template. QTS leveraged HyTrust s FedRAMP template for their implementation. Create compartmentalization and administrative multi-tenancy: This will help protect vcloud Director assets from accidental misconfiguration or compromise. CloudControl s unique tag-based access controls (TBAC) allow QTS to tag or label certain assets, ensuring that they can only be managed by the appropriate administrator. Improved log quality: CloudControl better captures vcenter and ESXi administrative functions by providing better visibility into actions and attempted actions. CloudControl s granular, user-specific log records can be used for regulatory compliance, troubleshooting, and forensic analysis. HyTrust CloudControl records not only valid requests but also invalid attempts, which are critical for security purposes. Additionally, every request is tied to the identity of a specific user and all relevant information actual request, source IP, target IP, etc. is collected. With QTS, CloudControl is configured to feed log data directly to Splunk, their enterprise SIEM tool, further automating their security practices. Centralized Authentication: QTS is able to mitigate backdoor acess to ESXi hosts by centralizing authentication vcenter and ESXi hosts through CloudControl. Page 3

CASE STUD Exceptional Deployment and Customer Service Over and above the security capabilities enabled by CloudControl, QTS also experienced a smooth process for piloting the system, and for moving it into production. Further, the HyTrust technical team created a FedRAMP matrix that clearly explained how HyTrust helped QTS address 27 specific requirements of the FedRAMP guidelines (see appendix A for the full matrix.) As QTS expands their services, the company will look to implement additional HyTrust capabilities including Secondary Authorization (aka., the two-person rule). In most of the major breaches in 2013 and 2014, the compromise of an insider account was the initial point of entry into the network. Secondary authorization can ensure that sensitive actions such as deleting or copying a virtual machine require the approval of a manager or other authority. Alerts and automation are built into the process, so if approval is given, CloudControl will automatically proceed with the requested action. Conclusion In today s increasingly harsh security climate, Cloud Service Providers not only need to consider compliance, but also security. Administrative control and visibility is largely overlooked in most virtualized infrastructures, and QTS recognized the importance of filling this important security gap. Not only does this simplify compliance with FedRAMP, but the company also implemented these best practices with their commercial IaaS offering, which enables QTS to serve even highly securitysensitive customers. About HyTrust HyTrust is the Cloud Security Automation company. Its virtual appliances provide the essential foundation for cloud control, visibility, data security, management and compliance. HyTrust mitigates the risk of breach or catastrophic failure especially in light of the concentration of risk that occurs within virtualization and cloud environments. Organizations can now confidently take full advantage of the cloud, and even broaden deployment to mission-critical applications. The company is backed by top tier investors VMware, Cisco, Intel, In-Q-Tel, Fortinet, Granite Ventures, Trident Capital and Epic Ventures; its partners include VMware, VCE, Symantec, CA, McAfee, Splunk; HP Arcsight, Accuvant, RSA and Intel. For More Information To learn more about HyTrust, visit www.hytrust.com, or contact us at 650-681-8100. Page 4

Appendix A Control No. Control Name HyTrust Implemented FedRAMP Control HyTrust Feature Description AC-2 AC-3 AC-3 (3) AC-4 AC-5 AC-6 AC-6 (2) AC-10 AC-16 AU-2 AU-3 AU-6 AU-8 (1) AU-10 AU-12 CA-7 CM-2 CM-3 CM-5 CM-6 CM-6 (3) CM-8 (3) IA-5 IA-5 (1) SC-5 SC-10 SI-3 Account Management Access Enforcement Access Enforcement Mandatory Access Control Information Flow Enforcement Separation Of Duties Least Privilege Least Privilege Non-Privileged Access For Nonsecurity Functions Concurrent Session Control Security Attributes Audit Events Content Of Audit Records Audit Review, Analysis, And Reporting Time Stamps Synchronization With Authoritative Time Source Non-Repudiation Audit Generation Continuous Monitoring Baseline Configuration Configuration Change Control Access Restrictions For Change Configuration Settings [Withdrawn: Incorporated Into Si-7]. Information System Component Inventory Automated Unauthorized Component Detection Authenticator Management Authenticator Management Password-Based Authentication Denial Of Service Protection Network Disconnect - *Added From Ac-12 Malicious Code Protection Two-Factor Auth, RPV, Infrastructure Segmentation, Secondary Approval RBAC, Secondary Approval RBAC Secondary Approval RBAC, Secondary Approval Security Template, RBAC, Secondary Approval Security Template Security Template Labeling, exportable to SIEM Two-Factor Authentication, Root Password Vaulting, Real Time Alerting RBAC, Real Time Alerting, Hypervisor Access Control by Protocol and IP Platform Integrity w/ Intel TXT Platform Integrity w/ Intel TXT and Hypervisor Access Control by Protocol and IP Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information