CASE STUDY
QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud
The technology and expertise provided by HyTrust dramatically simplified the process of preparing for our FedRAMP certification. HyTrust added key admin- istrative control and visibility into our virtual infrastructure, along with comprehensive and granular auditing. I wish deployments with all vendors went as smoothly as ours did with HyTrust. - Randall Poole, VP Cloud Services
About QTS QTS has built a national portfolio of world-class data centers supported by best-in-class technology, infrastructure, and equipment as the foundation for their services. QTS owns, operates and manages facilities coast-to-coast en- compassing approximately 4.7 million square feet of secure, state-of-the-art data center infrastructure supporting more than 850 customers. Their robust, redundant, fiber-rich facilities are strategically located in or near many of the nation’s most important data center markets.
In late 2012, QTS began an initiative to expand their business, adding two key cloud Infrastructure as a Service (IaaS) offerings: one targeted for commercial enterprises, and one for government, which would be FedRAMP certified.
The Challenge QTS was building four VMware-based virtualized datacenters that would support their cloud offerings. QTS recognized that virtualized infrastructure
hytrust.com Cloud Under Control P: 650.681.8100 Page 1 CASE STUDY
requires different security. Because virtualization and cloud infrastructure collapse applications, network and storage into a single software layer, administrators of this environment typically have very broad privileges. QTS understood this concentration of risk, and wanted to achieve the tightest security possible for their employees, and their customers. The company also wanted to enhance their security posture and offerings for commercial customers, and ensure their environment would achieve FedRAMP compliance.
QTS chose HyTrust to provide these additional layers of administrative control and visibility:
Predictive protection to improve controls over what administrators can and can’t do
Better isolation and compartmentalization within their mission critical and highly regulated virtual infrastructure
Proactive increase in virtualization hardening, security posture and auditing
Reduced risk of data center downtime, or destruction of data/intellectual property
Securing the Next-Generation Datacenter with HyTrust QTS built out four new datacenter environments to support their cloud initiatives. The underlying hard- ware includes Cisco UCS servers with EMC storage and leveraging VMware for server virtualization. Two datacenters are allocated for a fully redundant, high availability and FedRAMP-compliant cloud, and the other two for a highly secure commercial cloud offering.
HyTrust Improves Security, Simplifies FedRAMP Compliance HyTrust CloudControl is a virtual appliance deployed as a control point between administrative traffic from all protocols, including VIC, SSH or a web UI, and vCenter and ESXi hosts. CloudControl added a number of capabilities that were critical for FedRAMP compliance, including:
hytrust.com Cloud Under Control P: 650.681.8100 Page 2 CASE STUDY
Platform hardening: HyTrust CloudControl offers a range of templates that are used to harden the hypervisor. If the platform drifts from these recommended settings, CloudControl will automatically notify the appropriate administrator and reset the platform according to the template. QTS leveraged HyTrust’s FedRAMP template for their implementation.
Create compartmentalization and administrative multi-tenancy: This will help protect vCloud Director assets from accidental misconfiguration or compromise. CloudControl’s unique tag-based access controls (TBAC) allow QTS to tag or label certain assets, ensuring that they can only be managed by the appropriate administrator.
Improved log quality: CloudControl better captures vCenter and ESXi administrative functions by providing better visibility into actions and attempted actions. CloudControl’s granular, user-specific log records can be used for regulatory compliance, troubleshooting, and forensic analysis. HyTrust CloudControl records not only valid requests but also invalid attempts, which are critical for security purposes. Additionally, every request is tied to the identity of a specific user and all relevant informa- tion—actual request, source IP, target IP, etc.—is collected. With QTS, CloudControl is configured to feed log data directly to Splunk, their enterprise SIEM tool, further automating their security practices.
Centralized Authentication: QTS is able to mitigate backdoor acess to ESXi hosts by centralizing authentication vCenter and ESXi hosts through CloudControl.
hytrust.com Cloud Under Control P: 650.681.8100 Page 3 CASE STUDY
Exceptional Deployment and Customer Service Over and above the security capabilities enabled by CloudControl, QTS also experienced a smooth process for piloting the system, and for moving it into production. Further, the HyTrust technical team created a FedRAMP matrix that clearly explained how HyTrust helped QTS address 27 specific requirements of the FedRAMP guidelines (see appendix A for the full matrix.)
As QTS expands their services, the company will look to implement additional HyTrust capabilities including Secondary Authorization (aka., the two-person rule). In most of the major breaches in 2013 and 2014, the compromise of an insider account was the initial point of entry into the network. Secondary authorization can ensure that sensitive actions – such as deleting or copying a virtual machine – require the approval of a manager or other authority. Alerts and automation are built into the process, so if approval is given, CloudControl will automatically proceed with the requested action.
Conclusion In today’s increasingly harsh security climate, Cloud Service Providers not only need to consider compliance, but also security. Administrative control and visibility is largely overlooked in most virtualized infrastructures, and QTS recognized the importance of filling this important security gap. Not only does this simplify compliance with FedRAMP, but the company also implemented these best practices with their commercial IaaS offering, which enables QTS to serve even highly security- sensitive customers.
About HyTrust HyTrust is the Cloud Security Automation company. Its virtual appliances provide the essential foundation for cloud control, visibility, data security, management and compliance. HyTrust mitigates the risk of breach or catastrophic failure— especially in light of the concentration of risk that occurs within virtualization and cloud environments. Organizations can now confidently take full advantage of the cloud, and even broaden deployment to mission-critical applications.
The company is backed by top tier investors VMware, Cisco, Intel, In-Q-Tel, Fortinet, Granite Ventures, Trident Capital and Epic Ventures; its partners include VMware, VCE, Symantec, CA, McAfee, Splunk; HP Arcsight, Accuvant, RSA and Intel.
For More Information To learn more about HyTrust, visit www.hytrust.com, or contact us at 650-681-8100.
hytrust.com Cloud Under Control P: 650.681.8100 Page 4 HyTrust Feature Description Feature HyTrust Two-Factor Auth, RPV, Infrastructure Segmentation, Secondary Approval Auth, RPV, Infrastructure Two-Factor RBAC, Secondary Approval RBAC Secondary Approval RBAC, Secondary Approval Template, RBAC, Secondary Approval Security Template Security Template Security Labeling Automated Compliance Templates, Forensic Quality Logging Forensic Quality Logging Forensic Quality Logging exportable to SIEM Automated Compliance Templates Authentication, Root Password Vaulting Two-Factor Forensic Quality Logging Alerting Automated Compliance Templates, Real Time Automated Compliance Templates Forensic Quality Logging RBAC Alerting, Forensic Quality Logging Automated Compliance Templates, Real Time Hypervisor Access Control by Protocol and IP Platform Integrity w/ Intel TXT Automated Compliance Templates Automated Compliance Templates Automated Compliance Templates Platform Integrity w/ Intel TXT and Hypervisor Access Control by Protocol IP Automated Compliance Templates Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y HyTrust HyTrust Implemented FedRAMP Control Control Name Control Account Management Access Enforcement Access Enforcement | Mandatory Control Information Flow Enforcement Separation Of Duties Least Privilege Functions Least Privilege | Non-Privileged Access For Nonsecurity Session Control Concurrent Attributes Security Audit Events Content Of Audit Records Audit Review, Analysis, And Reporting Source Stamps | Synchronization With Authoritative Time Time Non-Repudiation Audit Generation Continuous Monitoring Baseline Configuration Change Control Configuration Access Restrictions For Change Settings Configuration [Withdrawn: Incorporated Into Si-7]. Information System Component Inventory | Automated Unauthorized Detection Authenticator Management Authenticator Management | Password-Based Authentication Denial Of Service Protection Network Disconnect - *Added From Ac-12 Malicious Code Protection AC-2 AC-3 AC-3 (3) AC-4 AC-5 AC-6 AC-6 (2) AC-10 AC-16 AU-2 AU-3 AU-6 AU-8 (1) AU-10 AU-12 CA-7 CM-2 CM-3 CM-5 CM-6 CM-6 (3) CM-8 (3) IA-5 IA-5 (1) SC-5 SC-10 SI-3 Appendix A No. Control
hytrust.com Cloud Under Control P: 650.681.8100 Page 5