Review: HyTrust Appliance 3.5


If any doubts remain as to the validity of the cloud as a solution for enterprise applications, then they are centered on security and reliability.  This isn’t just an unfounded perception.  As data centers consolidate racks and rows of individual servers into virtualized systems running on blades, they remove redundancy which, while saving money and resources, exposes them to a greater number of single points of failure.  In addition, one administrative mistake, such as remapping a virtual network, can bring down an entire virtual environment.

Many businesses are searching for ways to mitigate these risks in order to take full advantage of the cloud and virtualization.

Mitigating Virtualization Risks

Enter HyTrust and the HyTrust Appliance 3.5, a policy-driven hardware solution that provides visibility into virtualized environments by monitoring, logging, and evaluating every administrative action.  When the solution detects suspicious activity, either behavior based or actual malfeasance, it issues an immediate alert and, if possible, takes corrective action.  The newest release conducts more than three times as many configuration checks and remediation operations than it did before.

HyTrust Appliance 3.5 begins by inventorying all of the protected cloud and virtual infrastructures and then applying behavior-based and threat detection algorithms to administrative activities.  Private clouds and virtualized data centers can be damaged (intentionally or not) by misuse of administrator privileges.  This might include copying a virtual machine with confidential data, deleting the entire virtual data center or misconfiguring tenant specific workloads in shared infrastructure.  HyTrust protects against such actions by combining access control, identity management, SIEM, log management and configuration hardening (full support for VMware’s Security Hardening Guide 5.1).

Organizations that want to observe and log administrative activities either before or in lieu of strict enforcement can install the appliance in “monitor only” mode. HyTrust informed me that most installations begin in “monitor only” mode to give companies the opportunity to flag undesirable administrator behavior and further refine roles before beginning to enforce more strict access policies.

Test Driving HyTrust Appliance 3.5

I was immediately struck by how easy it is to navigate around the appliance dashboard.  The Web-based GUI is divided into menus such as General, Compliance, Policy, Configuration, Maintenance and Help.  Role-based administration means administrators only have access to features that fall within their usual job-related tasks.  For example, a help desk administrator could see that a VM is up and running but not make any changes, while a virtualization administrator could make those changes directly.


In addition, many tasks can be configured to require secondary approval; for example a destructive task such as powering down a VM or reverting to snapshot can be configured to only take place after being approved by a coworker or boss. (In other words, it would take two idiots to screw something up.) 

The first thing most customers do is set up root password management for VMware ESXi hosts.  The appliance can manage root passwords directly, meaning that administrators log into HyTrust Appliance and then HyTrust Appliance logs into the ESXi host for them.  This way password strength can be enforced, passwords can’t be lost, and no one can circumvent the appliance, log directly into a host and leave no audit trail.  In addition, host passwords can be automatically changed every five days to maintain stronger security. 

Policy can be pre-configured and compliance scans run on a regular basis.  While automatic remediation is possible, HyTrust informed me that most customers run scheduled assessment scans and then remediate manually in order to prevent configuration errors.

Remediation is incredibly easy.  Navigating to Compliance, Hosts gave me a list of hosts, their patch levels, the policy template being applied and a measurement of their compliance.  All I really had to do was select a host and click Remediate.

Audit logs track everything that is done to manage the virtualized environment: administrator, group, task, resource, privileges required, source IP address and the parameters that are being altered.  The Log Viewer displays activities in date and time order.  HyTrust informed me that most customers use the Log Viewer to get a quick idea of what is going on and export logs for a deeper analysis. 

Availability and Pricing

HyTrust Appliance 3.5 is generally available now. Enterprise pricing starts at $63,750 for a single data center site with 20 ESXi CPU sockets. HyTrust Appliance Community Edition is also offered as a free version of the product that supports up to three hosts and can be downloaded from the Web.

Matthew David Sarrel is executive director of Sarrel Group, an editorial services, product test lab and information technology consulting company. He is a contributing editor for PC Magazine, a contributing analyst for GigaOM and a frequent contributor to the family of sites.  Previously, Mr. Sarrel was a technical director for PC Magazine Labs, where he led all testing conducted by the Applications, Enterprise and Development Software, OS and Utilities, Network Infrastructure and Wireless LAN teams. His career also includes stints as an executive at two Internet startups and as director of IT for the New Jersey Medical School National Tuberculosis Center.