Workload Security in Virtual Data Centers

As a security analyst, I am privileged to learn the secrets of our craft from the finest experts in our field. Hemma Prafullchandra, CTO of HyTrust, recently took time to help me through an exciting new dimension of cloud infrastructure control - one that I had not spent much time studying previously. Specifically, she helped me better understand the management plane in cloud infrastructure, and its role in supporting stronger forms of access and compliance control for cloud workloads.

Hemma, whose career has crossed paths with pioneers such as Marshall Rose, reminded me that network security architects are correct to differentiate between the protection of control and data planes in cloud. Data planes house familiar in-line functional controls such as the firewalls that reside on our networks. Control planes, in contrast, house the network coordination functionality to administer and configure network devices. These are textbook concepts that should be familiar to anyone trained in network security.

She explained that in addition to this traditional data/control delineation, a new dimension exists in cloud infrastructure called a management plane. It is within this plane that application programming interfaces (APIs) reside and it is within this plane that tools, scripts, interfaces, and software can be used to enforce data and control security. It is also here that fully programmable visibility into cloud security and compliance can be maintained for workloads.

The cloud security solution approach at HyTrust focuses on this management plane by targeting the myriad of access control obligations required for private virtual data centers running VMware. This is a large segment of the virtual data center community, and the stronger access controls are uniformly needed for authentication, authorization, access, approvals, and other policy-based functions. (If you’ve not been subjected to stronger data center compliance requirements, then you have a sleepy auditor.)

By implementing strong access control functions in a transparent proxy, the VMWare cloud user benefits from the seamless intercept, pause, and enforcement that come with such deployment. These proxy functions, as you would guess, include checking roles, determining group membership, and other familiar access control functions that are required to support policies such as two-person controls and least privilege. An additional advantage of this type of protection is the uniformity of control that exists regardless of access path across different hosted virtual workloads and systems.

The HyTrust product suite for VMWare cloud deployments organizes security support functions into three different categories of management control. First, there is HyTrust CloudControl, which focuses on automated compliance, forensic logging, granular role and object controls, and support for secondary workflows. Second, there is HyTrust DataControl, which addresses multi-cloud policy-based encryption, secure boot protection and leverages hardware cryptography acceleration. Finally, there is HyTrust BoundaryControl, which supports a range of soft and geo-tagging functions for workloads, as well as boundary aware decryption of workloads.

Obviously, the deployment of any cloud security controls such as from HyTrust represents a new area of cyber security, and growing pains exist. Hemma joked, for example, about the challenges some clients face managing keys in a cryptographically controlled cloud infrastructure. But the reality is that the art of protecting cloud workloads in virtualized data centers, and networks, is rapidly becoming sufficiently mature that one would expect the more intense compliance requirements to be coming soon.

This distinction between management, control, and data planes is useful, because it highlights and parallels the programmable enforcement functions that have always existed with graphical or terminal interfaces to networks. By making this management plane more explicit in the VMWare cloud, the HyTrust team creates a useful framework for implementing stronger access and compliance controls. This is a welcome approach, and one that I recommend your enterprise security team take some time to understand, especially if you are a VMWare customer.

Let me know what you think.