HYTRUST: SOLUTION BRIEF
HyTrust Logging:
Simplify Virtualization
Compliance by Filling
Log Data Gaps
HyTrust Logging: Simplify Virtualization Compliance By Filling Log Data Gaps
Summary
Compliance with PCI, HIPAA, FISMA, EU, and other regulations is as critical in virtualized
and private cloud environments as it is in the traditional data center. The VMware platform
provides some of the log data required to show compliance, but there are large logging gaps
– such as no unique user ID for every administrative operation and no records of denied
operations – that can only be filled with a purpose-built solution. HyTrust delivers this missing
log data while significantly improving virtual infrastructure controls. Enterprises can now
increase profitability by securely virtualizing workloads that must stay compliant.
HyTrust: Cloud Under Control
HyTrust has become the de facto standard for access control, logging, and policy
enforcement in VMware environments. By filling gaps in virtual infrastructure security and
compliance, HyTrust gives enterprises the assurance they need to virtualize their mission
critical applications, implement private clouds, pass security audits, and reap the financial
benefits of increased virtualization. HyTrust CloudControl™ enforces role-based and assetbased policies covering VMware privileged users, virtual resources, and management
interfaces. It also secures the vSphere platform and virtualized workloads by providing virtual
network segmentation; comprehensive, audit-quality access logs; strong authentication; and
virtual infrastructure hardening. HyTrust DataControl™ provides strong encryption and
integrated key management for virtual machines from the time they are created until they are
securely decommissioned.
Cloud Under Control™
1
HyTrust Logging: Simplify Virtualization Compliance By Filling Log Data Gaps
YOUR CHALLENGE
Many enterprises have virtualized, or want to virtualize, workloads subject to compliance
requirements. The goal is to extend the operational benefits and cost savings they’ve
received from virtualizing lower tier workloads. However, IT organizations that worked hard to
make their data centers compliant are increasingly concerned about the potential for costly
audit failures or compliance violations in their virtual environments. In addition, they often
need to meet IT governance requirements, including passing internal audits, to get the
security affirmation needed to virtualize Tier 1 workloads.
At the same time, enterprises are realizing that virtualization platform on its own has security
and regulatory compliance limitations that can make virtualizing sensitive workloads a high
risk proposition. Some enterprises have already failed a security audit because of an unmet
requirement related to virtualization.
Many compliance challenges in the virtual environment involve authentication and access
control, which are primary requirements of most information security regulations. For
instance, PCI DSS v3.0 has a section titled “Implement Strong Access Control Measures”
with requirements categories “Restrict access to cardholder data by business need to know”
(#7) and “Assign a unique ID to each person with computer access” (#8), as well as ‘Track
and monitor all access to network resources and cardholder data.’ The Health Insurance
Portability and Accountability Act (HIPAA) includes requirements categories such as
“Information Access Management” and “Access Control”. The National Institute of Standards
and Technology (NIST) guidelines for the Federal Information Security Management Act
(FISMA) includes control families “Access Control” and “Identification and Authentication”.
These compliance categories usually have specific requirements for tracking administrative
identity and activity. The PCI standard provides a representative list
Preventing any tenant’s vSphere privileged users from either exposing their own workloads to
others (accidentally or intentionally) or gaining unauthorized access to another tenant’s
workloads.
§
Requirement for a documented approval by authorized parties specifying required
privileges.
§
Assign all users a unique ID before allowing them to access system components.
§
Establish a process for linking all access to system components (especially access
done with administrative privileges such as root) to each individual user.
Cloud Under Control™
2
HyTrust Logging: Simplify Virtualization Compliance By Filling Log Data Gaps
§
Implement automated audit trails for all system components to reconstruct:
o
All actions taken by any individual with root or administrative privileges
o
Use of identification and authentication mechanisms
o
Access to all audit trails
These requirements can only be fulfilled by compiling comprehensive,
readily accessible logs of all activity by each administrative or
“privileged” user of the virtual infrastructure. The logs must cover all
“These requirements can
use of the platform, including access through different management
only be fulfilled by
interfaces. The log data needed to prove compliance includes:
compiling comprehensive,
readily accessible logs of
all activity by each
§ Unique ID of the privileged user associated with every attempted
operation
§ Source IP address of each attempt
administrative or
“privileged” user of the
virtual infrastructure.”
§ Identities and before-and-after states of reconfigured resources
such as virtual network adapters
§ Records of denied or failed operations
Cloud Under Control™
3
HyTrust Logging: Simplify Virtualization Compliance By Filling Log Data Gaps
THE HYTRUST SOLUTION
HyTrust CloudControl™ records all the VMware privileged user log data needed to achieve
compliance in the virtual environment. It creates an audit trail with the essential details of
every successful and failed operation - conducted through any vSphere administrative
interface - and associates a unique user ID with every record. HyTrust CloudControl
automatically compiles the logs from vCenter and all vSphere hosts in a uniform, easily
accessible format. It then forwards the data to a central repository via syslog or to HP
ArcSight, Splunk applications, RSA enVision, or McAfee ePolicy Orchestrator (ePO) based
on native integration with McAfee Enterprise Security Manager, and other SIEM and log
management solutions.
HyTrust logs a unique user ID for every permitted and denied operation, and records other
essential information that auditors require to certify compliance
Cloud Under Control™
4
HyTrust Logging: Simplify Virtualization Compliance By Filling Log Data Gaps
In addition to providing a unique user ID for every event, HyTrust supplements the log data
available from the virtualization platform with other information needed for compliance,
including:
§
Source IP addresses of operation attempts
§
Hypervisor configuration changes Identities of reconfigured resources, including
virtual machines, networks, and datastores
§
Previous resource state
§
New resource state
§
Labels of virtual assets (e.g., Production or DMZ)
§
Privileges required to conduct an operation
§
Operation denials and failures, with additional details such as missing privileges
When an enterprise uses HyTrust’s unique Secondary Approval process to block a user’s
attempted operation until a designated party approves it, HyTrust CloudControl logs the
requestor and approver IDs, the date and time of the request whether the action was
approved/denied, and the time window for executing an approved request.
HyTrust’s comprehensive log data also enables forensic analysis of possible security
breaches in the virtual environment, promoting both privileged user accountability and a
stronger overall security posture. This security benefit, along with primary HyTrust functions
such as granular role- and asset-based access control, hypervisor configuration hardening,
and support for two factor authentication, magnifies the compliance value HyTrust provides.
Cloud Under Control™
5
HyTrust Logging: Simplify Virtualization Compliance By Filling Log Data Gaps
HyTrust CloudControl is pre-integrated with leading SIEM and log management solutions
such as this Splunk dashboard
By automating log processing and filling gaps in the virtualization platform’s logs, HyTrust
helps prevent costly audit failures and compliance violations while increasing virtualization
operations productivity.
For More Information
For more information on how HyTrust enables greater virtualization of workloads that must
stay compliant, visit www.hytrust.com/products, email questions to [email protected], or
call HyTrust at 650-681-8100 for a free consultation.
Cloud Under Control™
6