HyTrust Offers VMware Hypervisors Security

A startup is bringing an appliance approach to stronger security measures for virtual machine operation. HyTrust officials claim its HyTrust Appliance can serve as a single point of security and control for a large number of VMware ESX hypervisors.

All requests for access to an ESX hypervisor can be routed through HyTrust as it sits on the network. They're logged and approved or disapproved based on user ID, authentication, and role-based policies. Through its integration with Microsoft Active Directory and other LDAP directories, HyTrust acts as an authentication proxy.

As an IT manager is authenticated to access a hypervisor, HyTrust enforces restrictions set by the manager's role. All actions taken on the hypervisor are logged in a manner that allows activity to be reconstructed for an audit or computer forensics.

VMware already supplies logging with its ESX Server hypervisor; its logging captures routine activities, but the logs are designed primarily for troubleshooting, not the who-did-what-and-when logging executed by HyTrust, HyTrust CEO Eric Chiu said. The latter can be used to establish compliance or noncompliance with a variety of regulations. "We are providing visibility on a par with what's been achieved in the physical infrastructure," said Chiu. The Mountain View, Calif., company has 21 employees and is located within a few miles of VMware's headquarters.

"What used to be a physical server is now a flat file," noted Chiu, and the set of virtualized files that makes up a VM can be quickly copied to another server halfway around the world, if security safeguards aren't in place.

Chiu said the Stanford Hospital and Clinics at Stanford University had been reluctant to virtualize their servers, because of HIPAA regulations requiring strict control of patient data. The HyTrust Appliance announcement quotes Michael Mucha, information security officer at the hospital, as saying that the HyTrust Appliance "means our virtual data center will ultimately be more secure than our physical one." With hypervisor security in place, virtualized servers can be "an enterprise computing platform worthy of the era of the electronic medical records," he said.

The appliance gives an organization virtualizing its data center servers a basis for claiming adequate policies and enforcement controls are in place to meet health care's HIPAA and Sarbanes-Oxley regulations and the credit card industry's PCI-DSS security standard, claimed Chiu.

He said a single appliance can manage traffic to three VMware Virtual Centers, a management console that supervises sets of VMware's ESX hypervisor. Each Virtual Center, now called vCenter, may have up to 200 ESX hypervisors.

The HyTrust Appliance is available immediately for ESX; support for Citrix Systems' XenServer will be added later this year. Support for Microsoft's Hyper-V is planned for 2010.

The appliance is priced on the basis of the number of protected ESX hosts. A license for a single two-CPU host is $1,000; the HyTrust Appliance as a physical device is $7,500. It's also available as a virtual appliance in software for $3,000.

InformationWeek has published an in-depth report on data center unification. Download the report here (registration required).