Name: HyTrust DataControl
Description: Cloud security automation through encryption.
Price: Based on number of virtual machines and term of service – includes encryption and key server cluster for high availability.
SC Labs Reviews
Reviews from our expert team
The silver bullet of data security is encryption. Simple, right? Not so fast…there are several issues, especially in a virtual environment, that make that simple statement a little more difficult in practice. One of those – the so-called 800-pound gorilla in the room – is key management. Without getting too far ahead of ourselves, that is where HyTrust DataControl shines.
If you have data in a public cloud, you immediately have challenges. First, you’re in a multi-tenant environment. No matter what your cloud vendor does there always is the chance that somehow someone will gain unauthorized access to your data. Second, there are things that go on in a virtual environment that require particular attention for encryption to work properly. Unfortunately, one of the solutions to the depredations of the virtual environment is to manage the systems manually.
The problem, among other things, is that data moves around in a virtual environment. VMware, for example, uses vMotion to balance virtual machine use of resources across the host cluster. If vMotion moves a VM with encrypted data on it, is the data still encrypted? Can it be decrypted easily? Can the VM in its new location access encryption keys? The key, if you’ll pardon the pun, is to focus on protecting the data instead of applying administrative controls. That way, if data finds itself somewhere it is not supposed to be – on a VM of another tenant in your cloud, for example – it still is protected.
Additionally, there is the matter of regulatory compliance. The virtualized environment is notoriously light on controls and audit trails. Data segmentation can be challenging and it’s hard to apply controls in a public cloud due to contractual restrictions. HyTrust has built a philosophy that is simple to state but not so simple to do. Its approach has three parts: operational simplicity; any app, any cloud; and security assurance.
Operational simplicity is achieved through centralizing administration, providing a full REST API and re-keying transparently. That last is pretty important since in order to be compliant with many regulatory requirements – and just plain good security practice – encryption keys need to be changed periodically. Doing this manually as an administration task is tedious and risky. Data can be lost permanently if re-keying fails.
Any app, any cloud means that the system is equally at home in public. Private or hybrid clouds really do not care whether the environment is Windows or Linux. It also is application agnostic so it is able to achieve application transparency – ensuring that it will work in just about any environment.
Security assurance is one of those terms that gets misused a lot. In this context it means that the system keeps all of the keys in the data center where they can be managed easily, and that the key server is high availability. It also assumes a multi-tenant environment and, thus, is completely role-based. This also means that virtual machines can be decommissioned or created on-the-fly, ensuring that data is safe whether in use or access revoked. None of this prevents secure data-sharing because using a key ID allows migration of data either within the virtual environment or into another managed environment.
Architecturally, DataControl consists of the data center where the key control policy server lives. This can be a virtual machine or a standalone piece of hardware. It generates, stores and issues keys and is the central point of administration. The policy agents reside on virtual machines in the cloud and encryption/decryption is performed as data is read or written to or from storage. Intel AES in hardware gives good performance.
The use of Intel TXT also allows management of where sensitive data is run, where virtual servers are located and where data is allowed to be decrypted by location. This materially reduces the risk of having sensitive data show up in unauthorized locations in cleartext.
Finally, all keys are zero knowledge. Even the administrator does not know the keys. They are known only to the system. This is a very nice piece of work. We have been watching HyTrust for some time and they just seem to get better and better. What’s on the menu for the rest of 2015? There are some interesting things on the near horizon.
One that really hits the public cloud is system drive encryption even with AWS. Another big one is encryption of the recovery partition in Windows, and one we really like, data sovereignty. That means that you can keep your data where it is supposed to be. Organizations with offices around the world will appreciate this one. Privacy laws in Europe are stricter than in the U.S. So these companies do not want data in Europe that falls under EU privacy laws to be decrypted in the U.S. where laws are less rigid.
At a glance
Price Based on number of virtual machines and term of service – includes encryption and key server cluster for high availability.
What it does Cloud security automation through encryption.
What we liked Simplicity and transparency to the user while achieving a high degree of security.