The Challenge
By sharing application, compute and network resources in a virtual or cloud environment, business unit’s and cloud service providers (CSP) can boost IT speed and efficiency, business agility, resource utilization, and profitability. That’s a given. But to achieve these benefits without taking on unmitigated risks, cloud tenants’ critical applications and confidential data must be as secure and compliant as they have been in the traditional data center. In particular, every tenant’s workload must be completely isolated from every other tenant’s workloads and administrators.
Putting air gaps between servers and network segments was once an effective way of isolating critical applications but today “air gapping’ just doesn’t make sense. The poor resource utilization rate would be enough to take a huge bite out of a private cloud ROI. The economics of cloud require highly efficient logical segmentation and isolation of tenant workloads.
For organizations to effectively isolate their workloads they need to:
- Prevent unauthorized communication between one cloud tenant’s VMs and virtual networks and any other tenant’s resources
- Prevent a privileged user from either exposing their workloads to others (accidentally or intentionally) or gaining unauthorized access to another tenant’s workloads
- Log all virtual administrator activity per tenant to ensure compliance
Effective Isolation and Workload Security in the Multi-tenant Cloud
The HyTrust Cloud Security Policy Framework makes secure multi-tenancy possible by enforcing access controls and encryption policies for virtual and cloud infrastructure, effectively segmenting cloud deployments and securely isolating each tenant’s critical applications and data.
The key capabilities that strengthen multi-tenant deployments include privileged admin access policy implementation and enforcement, detailed logging and analysis of privileged admin account actions (both allowed and denied) and workload boundary enforcement which permits the decryption of data only when launched specifically on trusted hardware (Intel TXT®) or against predefined software labels.
With HyTrust’s workload boundary enforcement capabilities – enterprises and government agencies have the ability to tightly define where workloads are allowed to run, protecting against unauthorized replication and running of sensitive workloads on unauthorized hosts.
Learn more about how HyTrust can help your organization:
- Prevent unauthorized communications between or access to workloads that require trusted segmentation
- Enforce data policy based on software labels or physical hardware using Intel TXT
- Monitor and log all privileged user approved and denied actions per tenant for faster incident response