CASE STUDY QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud The technology and expertise provided by HyTrust dramatically simplified the process of preparing for our FedRAMP certification. HyTrust added key admin- istrative control and visibility into our virtual infrastructure, along with comprehensive and granular auditing. I wish deployments with all vendors went as smoothly as ours did with HyTrust. - Randall Poole, VP Cloud Services About QTS QTS has built a national portfolio of world-class data centers supported by best-in-class technology, infrastructure, and equipment as the foundation for their services. QTS owns, operates and manages facilities coast-to-coast en- compassing approximately 4.7 million square feet of secure, state-of-the-art data center infrastructure supporting more than 850 customers. Their robust, redundant, fiber-rich facilities are strategically located in or near many of the nation’s most important data center markets. In late 2012, QTS began an initiative to expand their business, adding two key cloud Infrastructure as a Service (IaaS) offerings: one targeted for commercial enterprises, and one for government, which would be FedRAMP certified. The Challenge QTS was building four VMware-based virtualized datacenters that would support their cloud offerings. QTS recognized that virtualized infrastructure hytrust.com Cloud Under Control P: 650.681.8100 Page 1 CASE STUDY requires different security. Because virtualization and cloud infrastructure collapse applications, network and storage into a single software layer, administrators of this environment typically have very broad privileges. QTS understood this concentration of risk, and wanted to achieve the tightest security possible for their employees, and their customers. The company also wanted to enhance their security posture and offerings for commercial customers, and ensure their environment would achieve FedRAMP compliance. QTS chose HyTrust to provide these additional layers of administrative control and visibility: Predictive protection to improve controls over what administrators can and can’t do Better isolation and compartmentalization within their mission critical and highly regulated virtual infrastructure Proactive increase in virtualization hardening, security posture and auditing Reduced risk of data center downtime, or destruction of data/intellectual property Securing the Next-Generation Datacenter with HyTrust QTS built out four new datacenter environments to support their cloud initiatives. The underlying hard- ware includes Cisco UCS servers with EMC storage and leveraging VMware for server virtualization. Two datacenters are allocated for a fully redundant, high availability and FedRAMP-compliant cloud, and the other two for a highly secure commercial cloud offering. HyTrust Improves Security, Simplifies FedRAMP Compliance HyTrust CloudControl is a virtual appliance deployed as a control point between administrative traffic from all protocols, including VIC, SSH or a web UI, and vCenter and ESXi hosts. CloudControl added a number of capabilities that were critical for FedRAMP compliance, including: hytrust.com Cloud Under Control P: 650.681.8100 Page 2 CASE STUDY Platform hardening: HyTrust CloudControl offers a range of templates that are used to harden the hypervisor. If the platform drifts from these recommended settings, CloudControl will automatically notify the appropriate administrator and reset the platform according to the template. QTS leveraged HyTrust’s FedRAMP template for their implementation. Create compartmentalization and administrative multi-tenancy: This will help protect vCloud Director assets from accidental misconfiguration or compromise. CloudControl’s unique tag-based access controls (TBAC) allow QTS to tag or label certain assets, ensuring that they can only be managed by the appropriate administrator. Improved log quality: CloudControl better captures vCenter and ESXi administrative functions by providing better visibility into actions and attempted actions. CloudControl’s granular, user-specific log records can be used for regulatory compliance, troubleshooting, and forensic analysis. HyTrust CloudControl records not only valid requests but also invalid attempts, which are critical for security purposes. Additionally, every request is tied to the identity of a specific user and all relevant informa- tion—actual request, source IP, target IP, etc.—is collected. With QTS, CloudControl is configured to feed log data directly to Splunk, their enterprise SIEM tool, further automating their security practices. Centralized Authentication: QTS is able to mitigate backdoor acess to ESXi hosts by centralizing authentication vCenter and ESXi hosts through CloudControl. hytrust.com Cloud Under Control P: 650.681.8100 Page 3 CASE STUDY Exceptional Deployment and Customer Service Over and above the security capabilities enabled by CloudControl, QTS also experienced a smooth process for piloting the system, and for moving it into production. Further, the HyTrust technical team created a FedRAMP matrix that clearly explained how HyTrust helped QTS address 27 specific requirements of the FedRAMP guidelines (see appendix A for the full matrix.) As QTS expands their services, the company will look to implement additional HyTrust capabilities including Secondary Authorization (aka., the two-person rule). In most of the major breaches in 2013 and 2014, the compromise of an insider account was the initial point of entry into the network. Secondary authorization can ensure that sensitive actions – such as deleting or copying a virtual machine – require the approval of a manager or other authority. Alerts and automation are built into the process, so if approval is given, CloudControl will automatically proceed with the requested action. Conclusion In today’s increasingly harsh security climate, Cloud Service Providers not only need to consider compliance, but also security. Administrative control and visibility is largely overlooked in most virtualized infrastructures, and QTS recognized the importance of filling this important security gap. Not only does this simplify compliance with FedRAMP, but the company also implemented these best practices with their commercial IaaS offering, which enables QTS to serve even highly security- sensitive customers. About HyTrust HyTrust is the Cloud Security Automation company. Its virtual appliances provide the essential foundation for cloud control, visibility, data security, management and compliance. HyTrust mitigates the risk of breach or catastrophic failure— especially in light of the concentration of risk that occurs within virtualization and cloud environments. Organizations can now confidently take full advantage of the cloud, and even broaden deployment to mission-critical applications. The company is backed by top tier investors VMware, Cisco, Intel, In-Q-Tel, Fortinet, Granite Ventures, Trident Capital and Epic Ventures; its partners include VMware, VCE, Symantec, CA, McAfee, Splunk; HP Arcsight, Accuvant, RSA and Intel. For More Information To learn more about HyTrust, visit www.hytrust.com, or contact us at 650-681-8100. hytrust.com Cloud Under Control P: 650.681.8100 Page 4 Appendix A hytrust.com HyTrust Implemented Control No. Control Name FedRAMP Control HyTrust Feature Description Cloud Under Control Cloud Under AC-2 Account Management Y Two-Factor Auth, RPV, Infrastructure Segmentation, Secondary Approval AC-3 Access Enforcement Y RBAC, Secondary Approval AC-3 (3) Access Enforcement | Mandatory Access Control Y RBAC AC-4 Information Flow Enforcement Y Secondary Approval AC-5 Separation Of Duties Y RBAC, Secondary Approval AC-6 Least Privilege Y Security Template, RBAC, Secondary Approval AC-6 (2) Least Privilege | Non-Privileged Access For Nonsecurity Functions Y Security Template AC-10 Concurrent Session Control Y Security Template AC-16 Security Attributes Y Labeling AU-2 Audit Events Y Automated Compliance Templates, Forensic Quality Logging P: 650.681.8100 AU-3 Content Of Audit Records Y Forensic Quality Logging AU-6 Audit Review, Analysis, And Reporting Y Forensic Quality Logging exportable to SIEM AU-8 (1) Time Stamps | Synchronization With Authoritative Time Source Y Automated Compliance Templates AU-10 Non-Repudiation Y Two-Factor Authentication, Root Password Vaulting AU-12 Audit Generation Y Forensic Quality Logging CA-7 Continuous Monitoring Y Automated Compliance Templates, Real Time Alerting CM-2 Baseline Configuration Y Automated Compliance Templates CM-3 Configuration Change Control Y Forensic Quality Logging CM-5 Access Restrictions For Change Y RBAC CM-6 Configuration Settings Y Automated Compliance Templates, Real Time Alerting, Forensic Quality Logging CM-6 (3) [Withdrawn: Incorporated Into Si-7]. Y Hypervisor Access Control by Protocol and IP CM-8 (3) Information System Component Inventory | Automated Unauthorized Component Detection Y Platform Integrity w/ Intel TXT IA-5 Authenticator Management Y Automated Compliance Templates IA-5 (1) Authenticator Management | Password-Based Authentication Y Automated Compliance Templates SC-5 Denial Of Service Protection Y Automated Compliance Templates SC-10 Network Disconnect - *Added From Ac-12 Y Platform Integrity w/ Intel TXT and Hypervisor Access Control by Protocol and IP SI-3 Malicious Code Protection Y Automated Compliance Templates Page 5 Page.