HyTrust goes ballistic with virty compliance appliance

Locks down Vblock clouds


VMworld 2012 The US Air Force doesn't let a single operator of a missile site launch a nuke all by his or her lonesome, and HyTrust, a maker of policy management and access control software for VMware virtual infrastructure, thinks IT shops should adopt the secondary approval rule for a lot of things that go on inside of the ESXi hypervisor and its vCenter management console.

"VMware has a great platform, which enables all kinds of neat stuff, but it can all be controlled by a single system admin who could take down all of the virtual infrastructure at the company either accidentally or maliciously," says Eric Chui, founder and president of HyTrust.

And don't think it hasn't happened. Chui cites the case of a disgruntled former employee at Shionogi Pharmaceuticals, who was laid off from the Japanese company but had left a backdoor into the corporate network. This former employee waited a few weeks, logged in from a hotspot at a local McDonalds, and shut down and deleted 88 virtual machines running at the company. The entire virtual infrastructure had to be rebuilt from tape.

To use another metaphor, most companies typically require a second signature on any checks above $5,000, and adding secondary approval to the VMware vSphere virtualization stack, which the new HyTrust 3.0 compliance appliance does, seems sensible. In fact, it is a wonder that such capability is not already in vCenter and the ESXi hypervisor or that VMware has not already snapped up HyTrust to add its tool to the vSphere stack.

A lot of companies are trying to implement two-person approval on big changes to virtual infrastructure through company policies, but Chui says it is much easier and obviously more effective (knowing the nature of people, who make mistakes or get irrational sometimes) to automate this in software.

The HyTrust appliance itself runs inside of an ESXi virtual machine, often on the same physical box that runs the vCenter management console for ESXi, and it intercepts all inbound and outbound traffic from vCenter and creates audit reports for what people are doing as well as acting as a traffic cop, giving access control to specific VMs as well as hypervisor and console features.

The prior HyTrust 2.5 appliance had object-based and role-based access controls for virty infrastructure, and now with HyTrust 3.0, the appliance is getting secondary approval workflows to make sure no one can go rogue. HyTrust Appliance 3.0 is also getting enhancements that let it secure multi-tenant clouds by beefing up virtual network segmentation.

The update also has a new labeling scheme that wraps around VMs and their applications and resources to keep admins from one part of a cloud from gaining access to another part of a cloud where they don't belong.

HyTrust Appliance 3.0 was developed against VMware's new ESXi 5.1 hypervisor, but has not been certified against it yet since that code is not shipping at the moment. A couple of months after the vSphere 5.1 stack has been in the field, HyTrust will roll out official support for ESXi 5.1. At the moment, HyTrust Appliance 3.0 can run against ESX 3.5, 4.0, 4.1, and 5.0 hypervisors in either the ESXi or ESX Server editions. (ESX Server, which embedded a management console inside the hypervisor, was discontinued with the 5.0 release.)

HyTrust no longer sells hardware appliances and only offers its code inside of a VM as a software appliance. The Community Edition is a full-featured compliance and access control freak but it is limited to a maximum of three ESX host systems.

The Enterprise Edition has no host limit and costs $750 per socket for a perpetual license, on top of which you pay for annual maintenance and tech support. The HyTrust console can run independently of vCenter, but there is a plug-in if you want to invoke HyTrust from within vCenter.

Chui tells El Reg that HyTrust is looking at supporting other server virtualization hypervisors as well as public clouds that sport non-VMware hypervisors as well as custom control freakage for future releases, but has made no commitment to offer such support at this time. This stands to reason with VMware providing about half of HyTrust's customer leads.

And a new partnership with the Virtual Computing Environment partnership between Cisco Systems and EMC similarly makes sense. "About 25 per cent of our pipeline is companies buying Vblocks," says Chui, "and they are usually large enterprises that are trying to take the build out of plan, build, and run as they stand up clouds."

Under the partnership with VCE, HyTrust is VCE's only go-to-market partner for access control and compliance auditing for Vblock clouds running VMware's ESXi hypervisor.

The HyTrust appliance knows how to integrate with Cisco's Unified Computing System modular systems and its on-board UCS Manager control freak as well as Nexus switches (physical or virtual), ESXi hypervisors and virtual switches, and MDS switches linking out to EMC storage arrays.

Vblocks are preconfigured stacks of Cisco and EMC hardware sold and supported by the VCE collective. At the moment, HyTrust is certified to work with Vblock Series 300 and Series 700 clouds. ®


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022