HyTrust released version 3.5 of their virtualization security proxy and compliance tool. This tool is core to a growing ecosystem of partners and systems. HyTrust has also expanded its role within the secure hybrid cloud by covering more of what is traditionally part of the data center. HyTrust is a proxy that sits between an administrator and sensitive systems by providing both advanced role-based access controls and advanced logging. With HyTrust fronting your VMware vSphere environment, HP ILO, Cisco UCS UIM, and Nexus Switches, administrators gain a fine-grained level of control over actions, improved logging in these environments, and the ability to vault critical passwords. With HyTrust there is no need to share passwords, but there is a need for robust control of an Active Directory environment.It is becoming more and more obvious that Identity is a big deal in the secure hybrid cloud, but not only identity but also understanding what people are doing using their multiple identities. Yes, all users may have a single login, but they may be coming from multiples devices, virtual or physical desktops, locations, through VPNs, etc. Each of these elements are an aspect of an identity context. For tools like HyTrust to work properly there must be a good source of identity within an environment, and unfortunately, that source is today very limited to mainly Active Directory.
Understand Identity
In large organizations Active Directory contains a multitude of groups that could adversely impact who has access to the critical components of an infrastructure. Just because a user is in a group without rights to these tools, does not imply they are not inside other groups that do have access to the tools. This is why a crucial part of implementing any security proxy such as HyTrust, which makes use of Active Directory, is to first go through your Active Directory environment for all virtualization, cloud, security, and other administrators and ensure the concept of least privilege, not just based on users and groups, but groups within groups, etc.
Secure Hybrid Cloud
In the secure hybrid cloud, however, Hytrust falls in three possible areas depending on what it is fronting, and what it will front in the future.
There are three parts to our secure hybrid cloud that are of interest:
- Transition – The transitional component of a secure hybrid cloud contains all those items that either allow access to or move data between multiple cloud instances, between those clouds and a data center or centers, and between the end-user computing device and clouds and data centers. The transitional component is fairly fluid, yet traditional security approaches can play within this arena, if the transition is contained within a controlled area. Unfortunately, that may not actually be the case. Check out these other posts:
- Cloud – The cloud includes all those places outside our immediate control where data could end up or be taken from. In some cases, it is even used to further our transitional goals. This is where APIs tend to live. However, the chances of adding traditional security into this aspect of the secure hybrid cloud are generally low without great expense (and the fact that you will end up in a managed hosted environment over a cloud). Check out this other post:
- Data Center – The data center is generally within our control and could be a private cloud or just a collection of virtual and physical machines. The data center may transfer data between multiple data centers or back and forth to the cloud. Within the data center, which is generally under our control, we can attempt to add in traditional security approaches. Check out these other posts:
In addition, the data center is really the underlying components of any cloud, which makes this a circular diagram of sorts, and depending on how it is being viewed, it describes either normal tenants or cloud service providers.
HyTrust in the Secure Hybrid Cloud
HyTrust falls within the data center in its traditional role as a security proxy within the management tenancy/virtual data center/security zone (Mgmt VDC in figure 1), possibly within the gateway between traditional and hosted or even cloud-based virtual data centers (Gateways/APIs in figure 1), and depending on how the cloud is assembled, within the IaaS component of the the secure hybrid cloud. HyTrust is part of a growing number of partnerships, the center of their own ecosystem, so to speak, as you can see from Figure 2.
HyTrust itself can apply multi-factor authentication via CA and RSA tools into the environments it front ends (VMware, Cisco, VCE, HP, and Dell) while working with its technology partners to improve overall security for administrators. This is the key to HyTrust; they provide enhanced security, logging, and compliance around administrative access. Yet, HyTrust does not solve the delegate user problem directly. They do provide a useful link into its solution, however, by aggregating all access to vCenter or a vSphere host through one interface (depending on implementation). This will help in correlating actions based on time.
Concluding Thoughts
We have seen HyTrust grow from handing just VMware products to being a large cog in many solutions. Actually, there has not been a reference architecture that does not include them in some way. While HyTrust focuses primarily on the administrative controls, there is quite a bit of potential to apply the technology to other aspects of the environment. Their nearest apparent competitor is actually not a competitor but works right alongside HyTrust to ensure proper access to all resources within a virtual environment.
They are making a big splash at the moment, but they have always had very interesting and extremely powerful technology. I believe their ecosystem will grow as their product grows. Do you use HyTrust today? If so, what aspects do you use regularly?