Case Study
HyTrust Builds QTS a FedRAMP Compliant Cloud
Industry Snapshot –– Company turned to HyTrust for –– Cloud Hosting Provider –– Innovative Cloud Hosting Provider better isolation, reduced downtime recognizes unique security and decreased risk challenges of virtual environment –– Company needed better security posture and FedRAMP compliance
About QTS QTS has built a national portfolio of world-class data centers supported by best-in-class technology, infrastructure, and equipment as the foundation for their services. QTS owns, operates and manages facilities coast-to-coast en- compassing approximately 4.7 million square feet of secure, state-of-the-art data center infrastructure supporting more than 850 customers. Their robust, redundant, fiber-rich facilities are strategically located in or near many of the nation’s most important data center markets.
In late 2012, QTS began an initiative to expand their business, adding two key cloud Infrastructure as a Service (IaaS) offerings: one targeted for commercial enterprises, and one for government, which would be FedRAMP certified.
The challenge QTS was building four VMware-based virtualized datacenters that would support their cloud offerings. QTS recognized that virtualized infrastructure requires different security. Because virtualization and cloud infrastructure collapse applications, network and storage into a single software layer, administrators of this environment typically have very broad privileges. QTS understood this concentration of risk, and wanted to achieve the tightest security possible for their employees, and their customers. The company also wanted to enhance their security posture and offerings for commercial customers, and ensure their environment would achieve FedRAMP compliance.
QTS chose HyTrust to provide these additional layers of administrative control and visibility: Case Study
“The technology and expertise provided by HyTrust dramatically simplified the process of preparing for our FedRAMP certification. HyTrust added key admin- istrative control and visibility into our virtual infrastructure, along with comprehensive and granular auditing. I wish deployments with all vendors went as smoothly as ours did with HyTrust.”
Randall Poole, QTS Vice President of Cloud Services
–– Predictive protection to improve controls over what CloudControl’s unique tag-based access controls (TBAC) administrators can and can’t do allow QTS to tag or label certain assets, ensuring that they can only be managed by the appropriate administrator. –– Better isolation and compartmentalization within their mission critical and highly regulated virtual infrastructure –– Improved log quality: CloudControl better captures vCenter and ESXi administrative functions by providing –– Proactive increase in virtualization hardening, security better visibility into actions and attempted actions. posture and auditing CloudControl’s granular, user-specific log records can be –– Reduced risk of data center downtime, or destruction of used for regulatory compliance, troubleshooting, and data/intellectual property forensic analysis. HyTrust CloudControl records not only valid requests but also invalid attempts, which are critical Securing the next-generation datacenter with HyTrust for security purposes. Additionally, every request is tied to QTS built out four new datacenter environments to support the identity of a specific user and all relevant information— their cloud initiatives. The underlying hardware includes Cisco actual request, source IP, target IP, etc.—is collected. With UCS servers with EMC storage and leveraging VMware for QTS, CloudControl is configured to feed log data directly server virtualization. Two datacenters are allocated for a fully to Splunk, their enterprise SIEM tool, further automating redundant, high availability and FedRAMP-compliant cloud, and their security practices. the other two for a highly secure commercial cloud offering. –– Centralized Authentication: QTS is able to mitigate HyTrust improves security, backdoor acess to ESXi hosts by centralizing simplified FedRAMP compliance authentication vCenter and ESXi hosts through HyTrust CloudControl™ is a virtual appliance deployed as a CloudControl. control point between administrative traffic from all protocols, including VIC, SSH or a web UI, and vCenter and ESXi hosts. Exceptional deployment and customer service CloudControl added a number of capabilities that were critical Over and above the security capabilities enabled by for FedRAMP compliance, including: CloudControl, QTS also experienced a smooth process for piloting the system, and for moving it into production. Further, –– Platform hardening: HyTrust CloudControl offers a range the HyTrust technical team created a FedRAMP matrix that of templates that are used to harden the hypervisor. If clearly explained how HyTrust helped QTS address 27 specific the platform drifts from these recommended settings, requirements of the FedRAMP guidelines (see Appendix A for CloudControl will automatically notify the appropriate the full matrix.) administrator and reset the platform according to the template. QTS leveraged HyTrust’s FedRAMP template for As QTS expands their services, the company will look their implementation. to implement additional HyTrust capabilities including Secondary Authorization (aka., the two-person rule). In most –– Create compartmentalization and administrative of the major breaches in 2013 and 2014, the compromise multi-tenancy: This will help protect vCloud Director of an insider account was the initial point of entry into the assets from accidental misconfiguration or compromise. network. Secondary authorization can ensure that sensitive Case Study
actions—such as deleting or copying a virtual machine – require mitigates the risk of breach or catastrophic failure—especially in the approval of a manager or other authority. Alerts and light of the concentration of risk that occurs within virtualization automation are built into the process, so if approval is given, and cloud environments. Organizations can now confidently CloudControl will automatically proceed with the requested take full advantage of the cloud, and even broaden deployment action. to mission-critical applications.
Conclusion The company is backed by top tier investors VMware, Cisco, In today’s increasingly harsh security climate, Cloud Service Intel, In-Q-Tel, Fortinet, Granite Ventures, Trident Capital and Providers not only need to consider compliance, but also Epic Ventures; its partners include VMware, VCE, Symantec, CA, security. Administrative control and visibility is largely McAfee, Splunk; HP Arcsight, Accuvant, RSA and Intel. overlooked in most virtualized infrastructures, and QTS recognized the importance of filling this important security Learn more about HyTrust at www.hytrust.com or call us at gap. Not only does this simplify compliance with FedRAMP, but 844-681-8100. the company also implemented these best practices with their commercial IaaS offering, which enables QTS to serve even highly security- sensitive customers.
About HyTrust HyTrust is the Cloud Security Automation company. Its virtual appliances provide the essential foundation for cloud control, visibility, data security, management and compliance. HyTrust
HyTrust - Cloud Under Control. 1975 W. El Camino Real, Suite 203 © 2015 HyTrust, Inc. All rights reserved. HyTrust, and the HyTrust logo are Mountain View, CA 94040, USA trademarks and/or registered trademarks of HyTrust, Inc., and/or its subsidiaries Phone: 1-844-681-8100 in the United States and/or other countries. All other trademarks are properties of International: 1-650-681-8100 their respective owners. Appendix A Control Number Control Name HyTrust Implemented FedRAMP Control HyTrust Feature Descripton
Two-factor auth, rpv, infrastructure segmentation, AC-2 Account management Y secondary approval AC-3 Access enforcement Y Rbac, secondary approval AC-3 (3) Access enforcement | mandatory access control Y Rbac AC-4 Information flow enforcement Y Secondary approval AC-5 Separation of duties Y Rbac, secondary approval AC-6 Least privilege Y Security template, rbac, secondary approval Least privilege | non-privileged access for nonsecurity AC-6 (2) Y Security template functions AC-10 Concurrent session control Y Security template AC-16 Security attributes Y Labeling Automated compliance templates, forensic quality AU-2 Audit events Y logging AU-3 Content of audit records Y Forensic quality logging AU-6 Audit review, analysis, and reporting Y Forensic quality logging exportable to siem Time stamps | synchronization with authoritative AU-8 (2) Y Automated compliance templates time source
AU-10 Non-repudiation Y Two-factor authentication, root password vaulting
AU-12 Audit generation Y Forensic quality logging CA-7 Continuous monitoring Y Automated compliance templates, real time alerting CM-2 Baseline configuration Y Automated compliance templates CM-3 Configuration change control Y Forensic quality logging CM-5 Access restrictions for change Y Rbac Automated compliance templates, real time alerting, CM-6 Configuration settings Y forensic quality logging CM-6 (3) [Withdrawn: incorporated into si-7]. Y Hypervisor access control by protocol and ip Information system component inventory | automated CM-8 (3) Y Platform integrity w/ intel txt unauthorized component detection IA-5 Authenticator management Y Automated compliance templates IA-5 (1) Authenticator management | password-based authentication Y Automated compliance templates SC-5 Denial of service protection Y Automated compliance templates Platform integrity w/ intel txt and hypervisor access SC-10 Network disconnect - *added from ac-12 Y control by protocol and ip SI-3 Malicious code protection Y Automated compliance templates