The document discusses how virtualizing more workloads improves efficiency but also increases security and compliance risks. It argues that the "4 must haves" of access control, audit logs, authentication, and platform integrity are needed to virtualize mission-critical applications. The HyTrust product is presented as filling gaps in virtualization platforms to provide these essential security capabilities and enable organizations to virtualize more workloads while maintaining compliance. Case studies of the State of Michigan and University of California deploying HyTrust to virtualize more applications are also discussed.

1. Virtualize More While Improving Your Cybersecurity Risk
Posture – The “4 Must Haves” of Virtualization Security
For State, Local, and Education
Eric Pankau – Director, Government, Carahsoft
Eric Chiu – Founder & President, HyTrust
Curtis Salinas – Technical Account Manager, HyTrust
© 2012, HyTrust, Inc. www.hytrust.com 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com
1

2. Data Center Evolution in the Public Sector
EXTERNAL TRANSFORMATIVE MOVING
FACTORS EVENTS FORWARD
Cost cutting Virtualization “1st 50%” Virtualization “next 50%”
Compliance Converged Maximum utilization
infrastructure
APTs Multi-tenancy
Private clouds
Decreasing time-to- IT self-service
breach Data center
consolidation Maintaining compliance
Increasing partner
access to data center Data center automation Maintaining governance
Key trend: pressure for cost cutting driving data center
efficiency initiatives, including increased virtualization
© 2012, HyTrust, Inc. www.hytrust.com 2

3. Security and Compliance Key to Virtualizing “the Next 50%”
Enterprise Platform Discussion
Extensive Production  Tier 3/4 workloads
now mostly virtualized
Mission-Critical Workloads  Tier 1/2 workloads
have higher security,
Limited Production
compliance needs
 Virtualization platform
Develop/Test
provides OK security
for non-critical apps
 Purpose-built solutions
needed for mission
critical workloads
Non-Compliant Limited Compliance Compliant Best-Practice
Plans to virtualize Tier 1 workloads have exposed
gaps in platform security and compliance
© 2012, HyTrust, Inc. www.hytrust.com 3

4. Gaps in Platform Support for Tier 1 Workloads
Breach Prevention
Audit Support
Stopping Human Error
© 2012, HyTrust, Inc. www.hytrust.com 4

5. Privilege Misuse Can Have Huge Business Impact
Percentage of security breaches due to
43% “trusted” insiders and business partners
— Forrester survey, June 2011
Percentage of execs who say their most
56% serious fraud was due to a privileged user
— PricewaterhouseCoopers, Wall Street Journal, April 2012
Percentage of outages and availability/
50-80% performance problems related to misconfiguration
— Gartner (>50%), Enterprise Management Assoc. (60%), IT Process Institute (80%), 2005-12
© 2012, HyTrust, Inc. www.hytrust.com 5

6. Privilege Misuse Can Have Huge Business Impact
Percentage of security breaches due to
Shionogi & Co:
43% $3.2B pharmaceutical company business partners
“trusted” insiders and
— Forrester survey, June 2011
Laid off IT admin:
• Logged in remotely to vSphere from
McDonald’s WIFI of execs who say their most
Percentage
56% serious fraud was due to a privileged user
• Deleted 88 virtual production servers
— PricewaterhouseCoopers, Wall Street Journal, April 2012
• Took down email, order entry, payroll,
BlackBerry, & other services
Percentage of outages and availability/
• Caused $800K damage
50-80% performance problems related to misconfiguration
— Gartner (>50%), Enterprise Management Assoc. (60%), IT Process Institute (80%)
Enforceable access and configuration policies
are needed for safe Tier 1 virtualization
© 2012, HyTrust, Inc. www.hytrust.com 6

7. Keys to Virtual Infrastructure Security – “The 4 Must Haves”
Virtual
Infrastructure
HyTrust provides 2 required functions directly
and supports other 2 through partners
© 2012, HyTrust, Inc. www.hytrust.com 7

8. Expert Consensus on Virtualization Best Practices
• “Restrict and protect administrator access to the
virtualization solution.”
• “Secure each management interface”
• “Monitor and analyze logs at all layers of the
virtualization infrastructure”
• “Enforce least privilege and separation of duties”
• “It is critical that independent monitoring of all
activities be enforced”
• “Require multi-factor authentication for all
administrative functions.”
• “Administrative access to the hypervisor/VMM layer
must be tightly controlled”
* NIST SP 800-125: Guide to Security for Full Virtualization Technologies
** PCI-DSS 2.0 Information Supplement – Virtualization Security
*** Neil MacDonald, vice president and Gartner fellow
© 2012, HyTrust, Inc. www.hytrust.com 8

9. PCI DSS v2 Requirements Met by HyTrust
Requirement HyTrust Solution
2) Do not use vendor-  Password vault for generic/shared accounts (root/
supplied defaults for administrator)
system passwords and  Assessment against a configuration standard to verify
other system parameters. passwords have been changed
7) Restrict access to  Granular RBAC and label-based restricted access to
cardholder data by ESX/i, vCenter, VM console, Nexus 1000V, etc.
business need-to- know.  Authentication integrated with Active Directory groups
and roles
8) Assign a unique ID to  Root Password Vault (RPV) regulates access to
each person with privileged/shared accounts. Individuals are tracked with a
computer access. check-out/in process.
 Multi-factor authentication supported with RSA SecurID
and/or Smart Cards
10) Track and monitor all  Audit trail for all access regardless of method
access to network data  Detailed record of who did what, where, when and the
and apps and cardholder result (allowed or denied)
data.
 Logs sent to a central log repository
© 2012, HyTrust, Inc. www.hytrust.com
9

10. NIST Directives on Virtualization Security
“ Organizations should have the same security controls
in place for virtualized operating systems as they
have for the same operating systems running
”
directly on hardware.
“ Ensure that the hypervisor is properly secured.
”
“ Restrict and protect administrator access to the
virtualization solution.
The security of the entire virtual infrastructure relies on the security
of the virtualization management system that controls the
hypervisor and allows the operator to start guest OSs, create new
”
guest OS images, and perform other administrative actions.
Neither physical data center security controls nor the basic
controls provided by the virtualization platform were designed
to fulfill these requirements for FISMA compliance.
© 2012, HyTrust, Inc. www.hytrust.com 10

11. HyTrust Role in NIST/FISMA Compliance
 6 of 18 NIST 800-53 control families IDENTIFIER FAMILY
focus on controlling and tracking
infrastructure access or ensuring
configuration and system integrity
 Compliance in virtual environments
requires an approach that addresses
the distinct attributes of virtual
infrastructure access, configuration,
and system integrity
 HyTrust is purpose-built to control and
log access activity, ensure compliant
host configurations, and protect system
integrity in virtual environments
 HyTrust fills critical gaps in the
virtualization platform’s NIST/FISMA
Source: NIST Special Publication 800-53, Revision 3
compliance capabilities*
* Platform capabilities mentioned in this document are believed to be accurate as of April, 2012, and are subject to revision
© 2012, HyTrust, Inc. www.hytrust.com 11

12. HyTrust: Confidently Virtualize Critical Applications
Secures the hypervisor & virtual
infrastructure by closing platform gaps:
 Enforces consistent access and
authorization policies covering all
access methods
 Provides granular, user-specific,
audit-quality logs
 Enables strong, multi-factor
authentication
 Verifies platform integrity, ensuring
the hypervisor is hardened and the
virtual infrastructure is trusted
By filling the gaps in virtual infrastructure security and compliance, HyTrust
enables enterprises to virtualize more and improve business outcomes
© 2012, HyTrust, Inc. www.hytrust.com 12

13. Partnerships Magnify HyTrust Value
HyTrust is key "go to" HyTrust is part of CA HyTrust is the platform HyTrust provides
partner for vSphere ControlMinder for security solution - combined reporting
security and compliance Virtual Environments access control and with Trend's Deep
auditing - for vBlock Security product
HyTrust provides HyTrust reporting and HyTrust is part of Intel's HyTrust event reporting and
native integration with controls being integrated trusted cloud architecture TXT integration being
SecurID and enVision with Symantec CCS based on TXT integrated with McAfee ePO
© 2012, HyTrust, Inc. www.hytrust.com 13

14. Use Case: State of Michigan
Company: State Government with centralized IT supporting 17 agencies with
varied security requirements
Background: • 3 Data Centers with 70+ hosts and growing rapidly
• Running vSphere Active Directory & RSA SecurID
Issue: • Admin/user authentication and authorization
• PCI logging
• Hypervisor hardening
Benefit: • Enables customer to meet access requirements with seamless
RSA integration
• Provides audit-quality logs to meet PCI compliance
requirements
• Ensures a secure environment with documented, implemented
roles
© 2012, HyTrust, Inc. www.hytrust.com 14

15. Use Case: University of California
Company: UC Campus with centralized IT supporting 30 departments with
varied security requirements
Background: • Consolidation, growth, centralization goals
• Running vSphere Active Directory & RSA SecurID
Issue: • Admin/user authentication and authorization
• Lack of transparency
• Hypervisor hardening
Benefit: • Secure Access leveraging two-factor authentication
• Separation of duties with total visibility
• Mapped to regulatory templates
The HyTrust Appliance is the robust solution we need to offer
essential new capabilities to our growing customer base—
while enforcing policies and maintaining the utmost security.
University of California, Systems Administrator
© 2012, HyTrust, Inc. www.hytrust.com 15

16. Under the Hood: Typical VMware deploy (Router Mode)
VM Guest Traffic Subnet(s)
Enterprise
Clients vCenter
Authentication via
Active Directory, LDAP,
Corporate RSA SecurID
Network
VMware Management Subnet
Virtualization (ESXi Management VMkernels,
Management vCenter Server)
Clients
© 2012, HyTrust, Inc. www.hytrust.com 16

17. Under the Hood: Live Demo
© 2012, HyTrust, Inc. www.hytrust.com 17

18. Summarize: Virtualize More, With Confidence
 Virtualizing Tier 1 supports business goals through higher efficiency
 Pre-requisite: mitigate security and compliance risks to workloads
 HyTrust enforces access and configuration policies that mitigate risks
 By filling gaps in platform security and compliance, HyTrust enables
economic benefits of Tier 1 virtualization and private clouds
© 2012, HyTrust, Inc. www.hytrust.com 18

19. Thank You!
© 2012, HyTrust, Inc. www.hytrust.com 19

20. Resources Links
 HyTrust Community Edition and Video Demos
 http://www.hytrust.com/resources/product
 HyTrust Case Studies
 http://www.hytrust.com/resources/case-studies
 HyTrust Analyst Reports
 http://www.hytrust.com/resources/analyst-reports
© 2012, HyTrust, Inc. www.hytrust.com 20