White Paper

The battle to secure virtual workloadsCan an intelligent solution win the war in the cloud?

Table of Contents3 Introduction

4 Struggling in the age of megabreaches

5 Security challenge 1 — Defusing data privacy, data residency, and compliance “landmines”

5 Ever–changing data privacy laws

5 Proving data residency and privacy compliance

6 Seeking data geo-fencing security

6 Security challenge 2 — Multi-tenancy data security policies in a multi-cloud architecture

6 Multiple multi-tenancy challenges

7 Seeking multi-tenancy security

8 Security challenge 3 — Protecting and securing the workload “achilles’ heel”

8 Seeking workload access and management security

8 The future of workload security needs intelligence

9 Regain the benefits of virtualization with one single approach

11 About HyTrust

11 About Intel

12 Appendix A

White Paper

The battle to secure virtual workloadsCan an intelligent solution win the war in the cloud?

IntroductionOver 90 percent of enterprise organizations have deployed, or plan to deploy, server virtualization technology within their data centers. In spite of this ubiquity, many organizations struggle with cloud security.

In fact, the benefits versus challenges of virtualization are in a neck and neck race that, depending on who wins, will either free the enterprise or constrain it. On one side, virtualization delivers significant advantages—flexibility, scalability, streamlined applications, faster time-to-market, and cost savings. On the other side, virtualization brings potentially significant security problems—which create weaknesses in organizations’ ability to protect their critical assets. The trend towards multi-cloud adoption and hybrid-cloud strategy has compounded this problem even further.

This has created three immediate security challenges—all threatening to cripple the enterprise:

– Country-specific data privacy rules and industry specific regulations are constantly changing. Do you know where your data is located and being stored?

– Secure multi-tenancy on a multi-cloud architecture is hard to achieve. Is your data kept separate from other clients’ data in multi-tenant environments?

– Workload migration and hypervisor security is often referred as the “Achilles’ heel” by industry experts. How do you automate the process of securing the workload in different cloud environments?

So far, to conquer these challenges, organizations are either doing nothing, or using pre-cloud security processes, or deploying an arsenal of new technologies and strategies. But, so far, no one can claim victory. In fact, security concerns are the most often cited obstacle to virtualization and adoption of cloud-computing models. As a result, attackers will increasingly target the cloud to take advantage of these weaknesses. And enterprises will fight a losing battle until they find a single powerhouse solution to slay them all.

White Paper

White Paper

Struggling in the age of megabreachesMaking matters worse for virtualization and cloud security is that today’s cybersecurity threats are more potent than ever—ranging from infections of corporate networks by custom malware to targeted hacking to malicious insider attacks. Further, the move to software defined data centers (SDDC) has raised the stakes by making data more vulnerable and harder to control.

Thanks to the rising value of data, today’s attackers have heightened incentives to up the sophistication of their game and attack weak virtualization and cloud defenses. Cybercrime surpassed illegal drug trafficking as a criminal moneymaker in the past several years, according to Symantec. Over 95 percent of enterprise attacks are compromised by new, innovative attack strategies that blend a variety of malicious techniques. In this environment, cyber attacks are costing companies millions of dollars in lost revenue and compromising customer data, intellectual property, and business reputations.

Despite spending billions dollars on enterprise security software, security breaches are at an all-time high and rising every year. In fact, we’re now living in what has been called the “era of the megabreach” with more frequent, malicious, and targeted attacks. Over 55 percent of C-level executives believe that the number of data breaches will continue to rise. It’s no surprise that 94 percent of executives think better security is more important than cost savings.

What will it take to overcome security challenges that continue to hinder virtualization and cloud deployment? What is needed to bridge the ever-expanding virtualization security gap is not blunt-object brute force, but hard-bodied intelligence. What is needed is a virtual data security force that does not just keep threats at bay, but that also resides with workloads as data is gathered, processed, and stored. This white paper presents a solution that addresses workload security and achieves the following three security objectives:

– Defuses the data privacy and data residency landmines– Reinforces multi-tenancy policies and controls – Automate workload security

Insider threats and privilege misuse account for 77% of all breaches, according to Verizon’s 2016 Data Breach Investigations Report. Both privileged account exploits and highly publicized insider data thefts highlight the increasing need for better security practices and solutions to address these challenges, according to a 2015 report based on research in cooperation with the 260,000+ member LinkedIn Information Security Community and Crowd Research Partners.

Key findings of the report include: – Privileged users, such as

managers with access to sensitive information, pose the biggest insider threat to organizations (59%). This is followed by contractors and consultants (48%), and regular employees (46%).

– 62% of security professionals say insider threats have become more frequent in the last 12 months. But only 34% expect additional budget to address the problem.

– Less than 50% of organizations have appropriate controls to prevent insider attacks.

– 62% of respondents say that insider attacks are far more difficult to detect and prevent than external attacks.

– 38% of survey respondents estimate remediation costs to reach up to $500,000 per insider attack.

– 64% of respondents find it difficult to estimate the damage of a successful insider attack.

White Paper

Security challenge 1 — Defusing data privacy, data residency, and compliance “landmines” Data privacy has been called a “landmine,” due to its potential to wreck havoc on companies not complying with all country-specific data residency laws. Constellation Research’s Vice President and Principal Analyst, Holger Mueller, went a step further when discussing data residency (data sovereignty). He called it a “time bomb.” This view is in sharp contrast to the general view of the cloud’s ability to deliver simplification and standardization—without regard to physical or geographic boundaries. In fact, it is this “any time, any place, any device” flexibility that is driving rapid cloud adoption. Over 58 percent of corporations planned to deploy cloud infrastructure in multiple countries thanks to this flexibility.

However, existing and changing government regulations on data residency threaten to complicate the delivery model that has made cloud computing attractive, presenting new concerns for companies with global operations. Organizations need security options that enable them to react to a rapidly changing regulatory environment with both immediacy and flexibility. Without adequate secure data privacy, companies will be at risk.

Ever–changing data privacy lawsComplicating the challenge of data privacy and residency is the fact that laws and regulations are always changing. With these laws including rules on how data is processed, transferred, and stored in individual countries around the world, global organizations operating across multiple jurisdictions are faced with a constantly shifting patchwork of regulations that demand different responses. It is also not clear exactly how current laws may change. For example, Safe Harbor, a 15-year-old data transfer agreement between the European Union and the U.S. was declared invalid, leaving in its place a proposed “Privacy Shield.” This leaves global businesses confused about the safest course of action, and concerned that they are now in violation of the law—and, therefore, at risk of crippling fines or worse.

Proving data residency and privacy complianceNot only do companies have to comply with the various data privacy rules and regulations of the countries they operate in, they must also prove they are complying. This is not an easy task—which is why compliance and auditing failures are a top concern for C-level executives. Further, 64 percent of organizations cite compliance, auditing, and privacy as their biggest cloud-computing security challenges.

Business leaders are struggling with how to respond to moving target of data privacy. Many companies look to their cloud providers for security, but few cloud providers are able to ensure privacy compliance.

“Intelligent workload security is the confidence that the right workload is in the right place.”

Robert StroudPrincipal Analyst, Forrester Research

Avoiding the issue of country-specific data privacy laws, or tackling it piecemeal, sets up organizations for penalties and fines that can reach millions of dollars. For example, in Germany, penalties for noncompliance are up to $114,000 per incident. In Hong Kong, the penalties for failure to comply are a maximum fine of $64,270 per incident, along with imprisonment of three years. What’s more, a new law enacted by the EU in late 2015 levies fines of up to four percent of revenues on firms that misuse personal data. Penalties and fines for data sovereignty infractions are not idle threats. Governments are enforcing their data security rules and penalties when companies are found to be negligent. Find out more at http://resources.hytrust.com/safe-harbor-end-of-era-download

White Paper

Seeking data geo-fencing securityThe challenge of complying with multiple jurisdictions’ data sovereignty rules and regulations puts corporations where they are today—facing critical questions about distributing private data across multiple physical, logical, and legal locations. Enterprises need to ask tough questions including:

– Where is our data located and being stored? – How do we maintain jurisdictional compliance when operating in the cloud? – Can our cloud provider deliver the required evidence and reports to show

compliance on a wide range of country-specific regulations?

What is needed to defuse data privacy and residency landmines is a solution that allows the enterprise to automatically and intelligently comply with jurisdictional guidelines with geo-fencing technology. It must also provide workload visibility across a wide variety of cloud environments and deliver continuous monitoring of data in various locations. This means also having the ability to change not only how privacy policies are implemented, but also the data model itself. This is important, because, while companies might be able to update their policies, they will still face the daunting task of reclassifying terabytes of existing data.

Security challenge 2 — Multi-tenancy data security policies in a multi-cloud architecture The idea of multi-tenancy, or multiple tenants sharing a single set of resources, is fundamental to cloud computing. Thanks to multi-tenancy, service providers can build network infrastructures and data architectures that are computationally efficient, highly scalable, and easily incremented to serve the many customers that share them.

While small, distributed data centers host a small number of applications or support a single organization, today’s consolidated data centers and clouds have disparate user groups that require complete separation of network traffic and strict access control policies—even though they are sharing the same physical servers and network infrastructure. This is also true of private virtual data centers and private clouds, as internal tenants require separation.

Multiple multi-tenancy challengesIn multi-tenant environments, multiple cloud service customers share the same hypervisor, physical server, and physical network and storage for their workloads and data. Access is controlled for each individual customer. The customer is not aware of other customers on the same infrastructure. They see only their own data and workloads.

However, the notion of a tenant in the context of cloud computing is not as simple as it might first appear. For example, cloud service providers have multiple tenants. Some of these tenants may also have tenants, who may, in turn, also have tenants, and so on. Each tenant likely stores data, like personal preferences, credit cards, and information. Similar to the separation of tenants in a building, tenants in cloud environments also need to be separated to achieve required degrees of security and privacy.

In this shared environment, maintenance of separation of virtual workloads becomes a critical concern and real challenge for security teams. Virtual machines are merely sets of files that usually exist on shared storage, and are usually protected by whatever security happens to be in place within the storage environment itself.

When asked about investment strategies to meet data privacy requirements in a HyTrust survey, over 70 percent of enterprise executives said they expect to increase spending, and over 30 percent expect budgets to rise by more than 10 percent over the next two years. Also, of those who plan to update data privacy strategies in the next three years, 38 percent plan to hire subject matter experts, and 27 percent plan to hire chief privacy officers. Further, 55 percent said they are planning new training for employees, 51 percent will amend and adapt policies, and 53 percent will prepare by adopting new technologies. Find out more about HyTrust Cloud and SDDC Study at https://www.hytrust.com/cloud-sddc-study/

Data Residency DefinedData residency (also called data sovereignty) is the concept that digital data is subject to the laws or legal jurisdiction of the geographic location in which it is stored. Companies that operate internationally and that gather personally identifiable information (PII) are subject to data privacy regulations in all of the countries in which they do business, as well as the rules that govern the treatment of data at the locations where the cloud service providers provision their services, such as their data centers. The challenge is that privacy and data sovereignty requirements vary widely from country to country. Organizations are not protected from responsibility just because they rely on a third-party cloud provider to manage data.

As a result, side attacks can be launched by malicious tenants while the environment is also vulnerable to exploits leveraging administrative and other privileged accounts. Further, IT contractors, or upstream and downstream technology providers (network, storage, etc.), may be able to gain access to workloads.

Virtualization can also make it easy to (sometimes unknowingly) intermingle applications and data that would have never been on the same host or storage in a traditional data center. For example, many organizations unknowingly host sensitive or compliance-related applications on the same hypervisor host as less sensitive applications—potentially exposing the sensitive data to intermingling or leakage through access by less sensitive systems or other resources. As a result, a single breach of the perimeter can lead to situations where attackers amass internal assets at their leisure undetected over a long period of time.

Seeking multi-tenancy securityThe reality of keeping workloads secure in multi-tenancy cloud environments forces enterprises to consider tough questions that have no easy answers including:

– Is our data kept separate from other clients’ data in multi-tenant environments? How can I prove that?

– Does the cloud provider have strict policies around who can access data? – How do we ensure that security policies are accurately and fully implemented

across the cloud?– Is our data secure in process, in transit, and at rest?

What is needed to reinforce multi-tenancy’s easy-to-break controls is an automated and intelligent solution that delivers four critical capabilities—lets the enterprise automatically enable workloads to self-check security and protect themselves from bad actors; secures data separation while allowing varied workload security levels on the same platform; removes air gaps in virtualized infrastructure; and ensures that data is encrypted and protected automatically across private and public clouds.

White Paper

Multi-tenancy definedAccording to Gartner, multi-tenancy is a reference to the mode of operation of software where multiple independent instances of one or multiple applications operate in a shared environment. Regarded as one of the most important features of cloud computing, multi-tenancy is a key common attribute of both public and private clouds.

“Most enterprises will have on-premises and cloud-based workloads for at least the next five years, necessitating server protection solutions that can protect on-premise physical, virtual, and public cloud IaaS protection all from a single console, with a single way of expressing a consistent security policy.”

Gartner Market Guide forCloud Workload Protection Platforms

Security challenge 3 — Protecting and securing the workload “achilles’ heel”To increase efficiency in cloud environments, organizations are condensing multiple virtual machines into a single server or hypervisor—which interacts with and manages multiple environments in the cloud. Access management then becomes a critical capability to keep workloads both separate and secure. Any vulnerability in the infrastructure and access management software creates a “security Achilles’ heel.” As a result, the foundation of modern-day cloud security completely depends on the security of the access to the workload.

To overcome the inherent security weakness of access management capabilities, many companies rely on their cloud provider’s security. But, in fact, they should assume the providers’ hypervisors and access controls contain flaws and vulnerabilities that can be exploited, allowing hackers to break in and gain access to the data.

Seeking workload access and management securityThe challenges of securing workloads put organizations where they are today—with hard questions such as:

– How are we protecting our workloads? – How do we securely migrate workloads to and from other cloud platforms? – What mechanisms are being used to detect access compromises?

What is needed to protect access management’s Achilles’ heel is an automated and intelligent solution that allows the enterprise to automatically enforce admin roles to protect the environment and monitor potential insider threats on public and private clouds. Also, the solution needs to achieve security, compliance, and productivity with granular role-based access controls (RBAC) and compliance with Federal Information Processing Standard (FIPS) and other standards.

The future of workload security needs intelligence Today, not moving workloads to the cloud is not an option, because no one wants to give up better server utilization, data center consolidation, and relative ease and speed of provisioning. Also, cloud service providers can achieve higher density, which translates into better margins. Plus, enterprises can use virtualization to shrink capital expenditures on server hardware as well as to increase operational efficiency.

However, leaving these workloads unsecured not an option. (Forrester analyst Andras Cser) While organizations have been using server virtualization and achieving pivotal consolidation benefits for years, security concerns continue to hinder cloud deployment. It is time for CIOs and CISOs to find (and deploy) the right security technology so they can move beyond these historic limitations. This leaves the enterprise with one overriding question: Who will they trust to ensure cloud security? The three leading cybersecurity challenges outlined in this paper—data sovereignty, multi-tenancy, and workload protection—can now be conquered with a single solution that delivers Intelligent workload security.

An intelligent solution mitigates the risks of data privacy and residency landmines with intelligent privacy management and automated security self-checks. An intelligent solution overcomes multi-tenancy security weaknesses by keeping workloads separate. An intelligent solution ensures approved workload access by fortifying access controls. Further, intelligent workload security delivers the ability for operations teams to define and enforce policies that prevent accidental changes in an SDDC infrastructure – changes which could otherwise result in unplanned

White Paper

downtime and other disruption. As a result, it frees IT operations from dealing with repetitive tasks, reducing security and compliance costs and complexity—while ensuring the cloud remains protected.

Regain the benefits of virtualization with one single approach Virtual machines are by nature dynamic and highly portable. Because they are simply a set of files, they can be spun up, suspended, copied, or deleted with ease. Further, they contain everything needed to run an application or workload, largely independent of the underlying hardware. Historically, there has been no automated way to ensure these workloads can only be represented on specific, designated, or trusted servers in trusted locations.

With intelligent workload security controls protecting virtual services and data in the cloud, organizations regain the following benefits with a single approach:

1. Avoid data sovereignty landmines and end audit and compliance suffering. Intelligent workload security provides the keys for diffusing data privacy landmines, including maintaining compliance with ever-changing country-specific data privacy laws, industry regulations and the need to be able to prove you have maintained compliance. It works by supplying data policy geo-tagging at underlying layers,

White Paper

“Intelligent workload security is really a resource driven thing. How can you take the greatest advantage of the resource you already have, how can you leverage VMs that you have, the information that you have, the software, and create an intelligent workspace?”

Ted HengstFormer CIO Socom, HyTrust Federal Advisory Board Member

which gives the enterprise the ability to define exactly where VMs are allowed to run. This ensures that workloads remain tied to their privacy policies across their whole lifecycle—in process, in transit, and at rest. Further, the intelligent security solution includes instant and continuous visibility of all workloads, wherever they reside.

An effective intelligent workload security solution will:

– Allow VMs to run only in approved jurisdictions – Deny requests to launch when outside of data privacy policies– Safeguard secure workloads from unauthorized transport, access, and use– Immediately respond to changing data policies, which ensures unbroken

compliance with existing and changing privacy regulations– Offer out-of the box features and templates that support best practices for

automated security and compliance – Providess forensics-grade logging, including capture, log, and alert of a wide range

of admin and system changes

2. Remove costly infrastructure air gaps. Intelligent workload security can remove costly infrastructure air gaps by enabling secure logical data and workload boundary separation. This allows workloads with varying security levels to remain fully protected on the same platform, ensuring that an organization’s preferred data risk segmentation policies, such as risk classification or levels of confidentiality, are followed. This makes secure multi-tenancy possible by closing air gaps in virtual infrastructure access control, network segmentation, and logging, as well as by adding critical data security through encryption. Together, these factors enable the solution to:

– Fulfill the requirement for effective workload isolation– Help prevent unauthorized communications and access– Effectively log administrative activities– Provide a data separation via:

a. Software-based tagging – enabling easier deploymentsb. Hardware-based approaches like Intel TXT. Read Appendix A for more details

3. Reduce Cloud Data Breaches. Intelligent workload security ensures that data and workloads are encrypted and protected automatically across private and public clouds. Workloads never travel without their security policies, never boot up unless it is safe, and encryption keys can be stored and managed separately from cloud-based data. Ideally the solution would leverage strong encryption such as FIPS-approved AES-128/256. VMs remain encrypted regardless of location, and the system confirms via security policy what it can and cannot do. This ensures that VMs cannot be hacked or otherwise tricked into being decrypted without appropriate policy validation. As a result, data cannot be decrypted if VMs are moved outside of defined parameters. Further, all activities, including the administrator’s policy actions, are logged. Together, these approaches help:

– Enable military-grade encryption and fine-grained policy oversight to sensitive data and workloads

– Simplify secure multi-tenancy key management – Provide options to set conditions to verify server security before allowing a VM on

a machine, preventing intentional or accidental workload movement

White Paper

A major U.S. retailer encountered a roadblock in the middle of a large virtualization project when the security team instituted a requirement that virtualized Microsoft Active Directory domain controllers using disk-based encryption. Microsoft Active Directory domain controllers boot in a specific sequence, which can create complications for encryption programs. Faced with the possibility of being forced to run domain controllers on dedicated hardware, and risk reducing the expected cost savings and server density goals, the company partnered with HyTrust to implement DataControl. The retailer gained the assurance that the sensitive account data residing within the virtualized server was encrypted and decrypted in the right sequence to enable the domain controller to boot properly.

– Provide portability and transparency without impacting user experience or VM administration

– Protect both data in motion and data at rest– Automate operational tasks such as provisioning, simplifying deployment, and

aiding in scalability– Deliver maximum protection against breaches and insider threats—helping to

prevent the theft or accidental exposure of sensitive and regulated data

4. Eliminate Privileged Account Misuse. Intelligent workload security enforces administrative roles to protect and monitor workloads on public and private clouds, thereby enhancing security, compliance, and productivity. Ideally such a system would be FIPS certified or compliant and would include fine grained role based access control (RBAC). These fine-grained access controls provide management, security, and auditing capabilities often beyond those that are typically shipped with typical hypervisors. Through password vaulting, encryption (and automatic key management), and other features, these controls enforce administrator scope. This ensures that not only do server and network administrators stay in their own domains, but also that administrators have appropriate rights needed for their jobs but not beyond.

Such a solution would ideally:

– Support multiple levels of administrative access, need-to-know, separation of duty, and peer review, as well as provide unique admin accounts for each tenant

– Provide decryption keys only to legitimate VM clones– Help harden the hypervisor– Help deliver protection from breaches and insider threats – reducing the chances

the theft or accidental exposure of sensitive and regulated data– Support secondary approval, or the ‘Two Person Rule’

Learn more about HyTrust at http://www.hytrust.com/resources/

About HyTrustHyTrust is the Cloud Security Automation company. Its virtual appliances provide the essential foundation for cloud control, visibility, data security, management and compliance. HyTrust mitigates the risk of catastrophic failure—especially in light of the concentration of risk that occurs within virtualization and cloud environments. Organizations can now confidently take full advantage of the cloud, and even broaden deployment to mission-critical applications. The company is backed by top-tier investors VMware, Cisco, Intel, In-Q-Tel, Fortinet, AITV, Granite Ventures, Trident Capital, Epic Ventures, and Vanedge Capital. Visit us at www.hytrust.com.

About IntelIntel (NASDAQ: INTC) expands the boundaries of technology to make the most amazing experiences possible. Information about Intel and the work of its more than 100,000 employees can be found at newsroom.intel.com and intel.com.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

© 2016 HyTrust, Inc. All rights reserved. HyTrust, the HyTrust logo, BoundaryControl, DataControl, and CloudControl are trademarks and/or registered trademarks of HyTrust, Inc., and/or its subsidiaries in the United States and/or other countries. All other trademarks are properties of their respective owners.

HyTrust - Cloud Under Control. 1975 W. El Camino Real, Suite 203Mountain View, CA 94040, USA Phone: 1-844-681-8100International: 1-650-681-8100

White Paper

A large global financial institution with more than 40,000 VMs partnered with HyTrust to reduce the risk that a stolen VM file could be loaded in a country other than the U.S. Using BoundaryControl, the financial institution ensured that its VM file only load on certified hardware located within designated boundaries.

Appendix AHyTrust, through its technology collaboration with Intel, has introduced new capabilities to secure the most important elements in virtualized datacenters and the cloud—applications and data—against the loss of control in cloud environments. This solution mitigates the risks that virtualization and the cloud create, simplifying regulatory compliance, preventing data theft or misuse, and ensuring availability of enterprise applications and data.

Built upon Intel’s asset tagging and attestation services with root-of-trust supported by Intel Trusted Execution Technology, or Intel TXT, this solution leverages Intel’s TXT to provide processor-level attestation of the hardware, BIOS, and hypervisor. The combination of HyTrust’s policy engine and Intel TXT can enable the government to set policies ensuring that sensitive applications and data workloads can only run on authenticated trusted hosts, physically located in specific trust zones, data centers, or geographic locations.

This solution can add three additional layers of protection:

1. Platform hardening. Intel TXT provides the capability for server attestation, allowing security teams to validate server configuration integrity and identify any unauthorized changes to the system.

2. Geo-fencing and location-based controls. Users can put policies in place to ensure that virtual workloads only run in specific geographies or locations. This is essential for compliance with existing and burgeoning privacy regulations.

3. Encryption/decryption. Virtual workloads remain encrypted and can only be decrypted when executed on a TXT-validated server.

Appendix A