Cloud Security, Critical Infrastructure Security

2013 Industry Innovators: Virtualization and cloud security

This is the poster child for today's networks. When we talk about the cloud, we need to realize that the concept of the cloud is a business, not a technical, construct. Were it not for virtualization, the cloud could not, on a practical level, exist. So it is entirely appropriate that we include cloud and virtualization security in this group. If there ever was a market segment where innovation rules the day, this one is it.

The two Innovators in this group are key players in the emerging notion of the software data center. Once of the big challenges in virtualization and, indeed, cloud security, is the idea of a management layer. We always have had a management layer and, over the years, we have defined it differently from the operational perspective. Typically, though, it may be thought of as an out-of-band network that is dedicated to system management tools and tasks. That concept sort of works when speaking of the virtual, but the virtual network environment is far more complicated than the traditional physical data center.

There are additional or new paradigms at work here that preclude the traditional approach to managing the security of virtual networks. But for all of that, traditional methods are familiar, comfortable and, mostly these days, effective. So it falls to the purveyors of management layer tools for the software data center to retain the comfortable feel of the management layer while providing tools and techniques appropriate to the virtual. 

Both of our Innovators take an enlightened view of the management layer in the virtual and both have built their businesses around innovating at that layer. Tying their tools tightly to the popular virtual environments – whether the operating environment, such as VMware or the cloud environment, such as AWS (Amazon Web Services) – these Innovators have looked closely at what it takes to manage security in the software data center and addressed it directly.

We were impressed with both of these Innovators and it did not surprise us at all that one is a returning Innovator and the other the recipient of a First Look review. Both are well worth your attention.

HyTrust

AT A GLANCE

Vendor: HyTrust 

Flagship Product: HyTrust Appliance 

Cost: Enterprise pricing starts at $63,750 for a single data center site with 20 ESXi CPU sockets.

 Innovation: Virtualization of the management plane controlling access to virtual assets. 

Greatest Strength: Ability to allow a granular level of administration across the entire software data center while not interfering with the operational restrictions inherent in a cloud environment.

We looked at this Innovator back in March 2012. At that time, we saw it and its flagship product as emerging and we have been watching it ever since. HyTrust solves the problem of access control at the management plane in a software data center. Unlike a physical data center with locks on doors and racks (sometimes even on appliances themselves), a virtual data center must be protected virtually. That means figuring out who needs access to what – least privilege and access management – and how to enforce it. HyTrust is placed between the VM and the management plane of the software data center and decrees who has elevated access rights to what virtual devices and what they can do with those rights and devices.

Because the HyTrust product is, itself, a virtual appliance, it fits nicely into a cloud environment. Securing a cloud implementation is now practical and, from the perspective of compliance, credible. The cloud paradigm – with its business rather than technical construct – is not resistant to this form of system management. Part of what makes this work is HyTrust's unique patented tagging of virtual objects. Security, then, is based on the tags. This approach also enables reliable logging and, thus, credible compliance reporting.

If one looks at the core concept with this Innovator's product, it will be noted that the notion of carving up superuser access is not particularly new in the physical world. However, it is difficult to do in the virtual because the virtual environment is inherently open, usually sitting on a single bus. That bus allows the movement of resources around the virtual data center, makes virtual switching possible and ensures reliable connections to storage and network resources. 

The strength of this product is its ability to allow a granular level of administration across the software data center while not interfering with the operational restrictions inherent in a cloud environment. And that is an important benefit. That benefit comes from years of innovation and intellectual property development by the visionaries at this interesting Innovator.

Intigua

AT A GLANCE

Vendor: Intigua

Flagship Product: Intigua 2.0 

Cost: $125 per VM per year (subscription). 

Innovation: Intelligent, holistic virtualization of the management layer. 

Greatest Strength: Ability to evolve to support the rapidly evolving environment in which it plays.

This is the second year for creative and forward-looking Intigua. These folks have taken a unique approach to virtualizing the management layer in the virtualized environment or, the software data center. What we found interesting is that this Innovator has significantly evolved its original approach. Initially, the agenda was centralizing all of the agents that were involved in managing the virtual servers. The logic behind that was that agents on a single VM can collide, causing anything from performance hits to outright failure. More important, multiple agents on individual VMs take up valuable resources, impairing the operation of the VM even in the best case.

This year, it has extended this approach using containers that effectively isolate the agents from the VM operating system, while enabling management of the VM and its security. But, the management tool's backend is also addressed, ensuring that the tools can be combined into a single console that executes a single holistic policy across all of the agents. This gives a flexible deployment allowing on-the-fly changes in management requirements. For example, the suite of management tools for a given VM deployment might be different when the VM is deployed to production from when it was in development or staging. At the same time, the concept of isolating the agent from the VM guest operating system is, as before, in place, protecting the VM from consequences of multiple agent deployments.

Of course compliance is, as always, a major consideration. The centralized management of disparate agents across a software data center enables credible, reliable reporting about security and other management functions. This means ensuring that anything new that is being provisioned will be caught and brought into the system ensuring that reality comports with policy and doing all of this in real time.

While VMware was the big push last year, Intigua is moving into other areas, especially the cloud, with support for AWS. This is a big deal because the cloud is not a technology. Rather, it is a business construct. That business construct can be problematic for software data center management, especially security management. While the technology may be solid, fitting into the constraints that cloud providers impose can be challenging. Intigua 2.0 addresses the cloud paradigm with the same creative finesse that it addresses the virtual technology. Problem solved.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.