HyTrust: An Elegant Solution To a Messy Problem
I had a pre-release briefing with the folks from HyTrust on Friday and was impressed with their solution. I had previously met with the VC’s within whose portfolio HyTrust sits and they were bullish on the team and technology approach. Here’s why.
“Security” solutions in virtualized environments are becoming less about “pure” security functions like firewalls and IDP and much more focused on increasing the management and visibility of virtualization and keeping pace with the velocity of change, configuration control and compliance. I’ve talked about that a lot recently.
HyTrust approaches this problem in a very elegant manner. Their approach is based on the old adage “you cannot manage that which you cannot see.”
In the case of VMware, there are numerous vectors for managing and configuring the platform; from the various host and platform management interfaces to the guests and virtual networking components.
There are many tools on the market which address these issues. Reflex, Third Brigade and Catbird come to mind with the latter being the most similar.
The difference between HyTrust and their competitors is how they integrate their solution to provide visibility and protect the management network.
HyTrust’s answer is to both physically and logically sit in front of the the virtualization platform management network and actually proxy each configuration request, whether that’s an SSH session to the service console, or a VirtualCenter configuration
change through the GUI.
These requests are mapped to roles which are in turn authenticated against an Enterprises’ Active Directory service so fine-grained role-based access to specific functions via templates can be performed. Further, since every request is proxied, logging is robust and can be mapped back directly to a single user.
The policy engine and templates appear quite easy to use given the demo I saw and the logging and reporting looks good.
Actions that violate policy can be allowed or permitted and can either be simply logged or even remediated should a violation occur.
This centralized approach is very elegant. It has its downsides, of course, inasmuch as it becomes a single point of failure and performance and high-availability should be paid close attention to.
The HyTrust offering will be available as both a hardware appliance as well as a virtual appliance. They will also release what they call a FREE “Community Edition” which is a full-featured version but is limited to securing three VMware ESX hosts.
Check them out here.
/Hoff
Hoff,
" ”Security” solutions in virtualized environments are becoming less about “pure” security functions like firewalls and IDP and much more focused on increasing the management and visibility of virtualization and keeping pace with the velocity of change, configuration control and compliance."
I think you can generalize that for all environments, not only virtualized environments. Today, in terms of security, it makes much more sense to invest in management and visibility than on additional layers of controls (complexity, cost and their own share of vulnerabilities). That's all about reducing blind spots and having the ability to consistently manage security settings and REACT FASTER (that's for Rothman :-)).
Chris,
once again, you grope in that mud of "buy this and you'll be [at least a litte bit more] secure".
Adding another component to a game that already suffers from too much complexity and from shortage of operational resources – and you and I know these are the main contributing factors to "virtualization insecurity" – will not help security… but add complexity and, well, increase the shortage of operational resources (I don't have to explain, why. do I?).
What about just doing the homework in the first place? I recently did some consulting work in a US$ 40 bn revenue organization with about 4K virtualized servers (on ESX). It turned out the mgmt interfaces of most ESX hosts were accessible from the corporate network. What do you think… should they bring HyTrust (or some other $THE_LATEST_BEST_OF_BREED_VIRT_SECURITY_MAGIC_BOX) in?
thanks,
Enno
btw: I'm not particularly averse to HyTrust (in fact I know nothing about the product). Still, I stumbled about some nice marketing on their website: "HyTrust makes virtual infrastructure as operationally ready as physical infrastructure.". Well, that _was a good one_ …
@Enno Rey
Enno, clearly I'd love for people to do The Right Thing™ but that's simply not the reality, as most of your presentations and speaking engagements clearly show. If they did, you'd be out of business.
I'm giving people an opportunity to consider using a tool (as I often do) to help them make a little forward progress. Yes, it treats the symptom and not the cause, but so does a bandage and I'd rather have one of those than bleed to death.
I didn't tell people to buy it, I simply suggested that given the problem, it's an elegant solution.
If you'd be kind enough to package up common sense, due diligence and proper security, give me a SKU and a price, I'll sell the shit out of it. 😉
/Hoff
@beaker – thanks for the post on this new tool. Agree that tools are just one leg of the chair (other 2 being people and process) but you do need all three to work together and provide CIA for your data and applications.
@enno – You said "It turned out the mgmt interfaces of most ESX hosts were accessible from the corporate network…"
Turns out this is exactly one of the areas the HyTrust Appliance can help. 4000 VMs probably at least ~100 ESX hosts. You can drop in this device with minimal effort control access (changes) to those hosts.
The decision to allow corporate access to the management interfaces is typically made due to a lack of flexibility in the current firewall or core network security. What percentage of clients have ACLs hard coded in their core gateway devices or route all inter-vlan through a firewall?
The virtual appliance model fits well into that environment.
does this solution tap into other directories (LDAP?) if necessary ?
Man,
that's "a real Hoff" here ;-): put together some apocalyptic pictures ("bleed to death"), mix in personal pieces, plus a little bit of irony as icing on the cake.
Problem is, you just overlook two things.
> I’m giving people an opportunity to consider using a tool (as I often > do) to help them make a little forward progress.
to quote one of your perfectly chosen phrases: that's simply not the reality.
Bringing additional tools/stuff/complexity in does _not_ mean progress, in most environments.
And talking about bandages and bleeding, I may be allowed to cite a post from some mailing list some time ago:
"Borrowing an analogy from Engines of Creation: We're on a sinking ship that has been kept afloat by a vigorous bailing process. Early on, some people expressed an interest in actually fixing the holes. But these efforts were not immediately successful, and most of those folks went on to other things. Now, the holes have gotten bigger, the bailing is less effective, and the ship is carrying a lot more valuable cargo. But there are a lot more people bailing, they are well paid, and hardly anyone believes any alternative is possible. After all, bailing is what's worked so far."
Nothing to add here… feel free to go on with bandages, bailing or more tools. Please, just don't call it progress.
thanks,
Enno
@Enno Rey
I can't debate not doing things properly; there's nothing much that you or I can do to fix that.
But there's really three options:
1) Be bitter, yell at the world about being silly and do nothing, or
2) Try and change the world, reminding all concerned of the need for doing things right (bring aspirin)
3) Use a tool to clean things up a little.
You keep using the word 'complexity.' What's complex about this? In fact, if you look at Iben's example above, one could suggest it actually helps simplify things; using templated/standardized role-based access controls to management functions and centralizing access/authorization/access with logging and entitlement instead of dealing with 5+ different vectors.
So, assuming things are as they are, if we're not going to fix human behavior but I have a tool available to make things better, your advice is that we should NOT use the tool?
Do me a favor and answer that last question without getting cute since we're both big boys.
/Hoff
Big boy,
your question to be answered contains three assumptions (two declared as such, one implicit):
a) "things are as they are".
b) "we're not going to fix human behavior".
c) "a tool is available to make things better".
In short, my points are:
a) I believe in the general capability of humans to learn and evolve. I do not like the defeatist approach of telling (not only) infosec people "stuff is broken anyway, get over it." [and buy this tool as a cure].
I think we should at least try to understand why things are broken and how they could be done better. I'm convinced, we can do better. Yes, we can 😉
b) see above.
c) The tool (or others) won't make things better. It might even make things worse. As it's another waste of resources (which are sparse anyway) on the wrong end.
And this valuation is based on 10+ years infosec work in mainly 100+K user environments.
thanks,
Enno