Last week HyTrust announced the launch of HyTrust CloudAdvisor Version 2.2.1 (HTCA 2.2.1) which provides further integration with HyTrust DataControl (HTDC) and HyTrust CloudControl (HTCC). More specifically, the new version supports the ability to:
- Automatically encrypt VMs using HyTrust DataControl when sensitive data is detected
- Analyze and monitor VMs encrypted by HyTrust DataControl
- Label VMs in HyTrust CloudControl when sensitive data is detected
This allows you to build a policy such as:
When you find VMs containing PCI data, encrypt them and tag them. Then match my HTCC policy which says that PCI VMs can only be run on designated hosts (using HyTrust BoundaryControl) and require secondary approval for operations such as shutting down or deleting these VMs
To understand how this works consider the following figure:
- HTDC encrypts VMs using vSphere encryption, VSAN encryption or through the use of the HyTrust Policy Agent, a component that resides inside VMs and allows encryption of any device including Windows C: drives, Linux root disks and swap/paging files. In this figure, the red VMs are under control of HTDC and have a Policy Agent installed and registered with KeyControl.
- HTCC provides visibility into all VMs in vSphere, controls administrative actions, provides hypervisor hardening, ESXi host and hypervisor trust attestation, allows for VMs and ESXi servers to be tagged and policy decisions to be made based on these tags plus administrative actions.
- HTCA enables you to define policies to automatically discover the data that’s valuable to you, detect anomalous user access behaviors, and defend your organization against careless exposure, data loss, malicious users, and regulatory noncompliance.
When CloudAdvisor is about to analyze the files on a VM, it creates a Discovery Point using the data in a VMware snapshot or a Veeam Backup and Replication backup file. The Discovery Point contains information about:
- File operations (such as read, write,and delete), along with the users that performed those operations
- Filesystem information such as file size and owner
- File content, such as:
- Words contained in the document
- Sensitive information such as social security numbers and credit card numbers
- Internal metadata such as bit rate and document title
In order to know what to do with this information, an HTCA Insight Policy must be created. An Insight Policy can be applied to one or more VMs. When VMs are being analyzed, HTCA uses the Insight Policy to determine what to do based on the information it finds.
Now let’s assume that HTCA is analyzing the unencrypted VM called “VM-A”. If you have created a content-based Insight Policy and specified the “Encrypt data using DataControl” option, and when content is found that matches the patternsspecified in the Insight Policy, the VM will be automatically encrypted. To achieve this, HTCA inserts the Policy Agent into the running VM, registers it with KeyControl and then encrypts the disks where the sensitive data was found (it now becomes a red VM under control of HTDC). Furthermore, if you enable the “Label VM in CloudControl” option as part of the Insight Policy, the specified tags will be added to the VM in vSphere using HTCC. Once these operations are complete:
- Further inspection of the VM will continue to take place even though it’s encrypted. HTCA communicates securely with KeyControl in order to fetch the right encryption keys for the encrypted devices that it wants to read.
- Any policies within HTCC that utilize the specified tags will be adhered to (for example, don’t shutdown or delete a “PCI” VM without secondary approval or make sure “PCI” VMs run in the designated PCI boundary)
HyTrust products provide security policies for your vitalization and cloud-based infrastructure. With HyTrust CloudAdvisor, HyTrust now lets you apply security polices right down into the contents of the files within each VM, to be sure your policies are right-sized with respect to the data they are meant to protect. This allows security to be applied intelligently and automatically to your virtual environment.
For further information about HyTrust CloudAdvisor, or to request a 30-day trial, follow this link.