As data center virtualization moves beyond test and peripheral systems into mainstream production environments, enterprises face a major security gap. Maintaining and strengthening traditional security in the underlying physical environment remains important, but the virtualization layer itself also needs to be secured. The security built into commercial hypervisors such as VMware is rudimentary at best and leaves virtualized systems vulnerable. This creates compliance problems, but more than that, warns Eric Chiu, co-founder and president of HyTrust, it leaves companies very vulnerable to anybody who can gain access to the virtual system management layer.

How bad can it be? Chiu cites the Shiongoi Pharmaceutical incident from last year. A disgruntled former IT administrator logged into the system of this U.S. subsidiary of a Japanese pharmaceutical company from a public wifi connection hundreds of miles, away using credentials that should have been canceled months before. He accessed the vSphere client and within a few minutes deleted all the VMs, “the equivalent of burning down the physical data center,” says Chiu. The company literally shut down for more than a week while IT worked furiously rebuilding the virtual environment.

Admittedly, if the company had been following basic security practices, someone would have deleted the former employee’s credentials as he was leaving the building. But a current employee with legitimate access to your company’s virtual infrastructure could easily delete all the VMs in your environment and cost your company millions, possibly even put it out of business. Of course companies would like to believe they can trust their employees, but in fact “the insider threat is very real and accounts for 56% of all serious breaches according to a Wall Street Journal article titled ‘The Enemy Within,’” says Chiu. One aspect of new breed of persistent threats from state actors is that some may have included physical threats to individual employees or their families, raising the possibility that employees may be coerced into actions they would not normally consider.

Beyond that, Chiu says, many companies simply cannot proceed with virtualization of core applications and data without adequate security because of the need to comply with either government or industry regulations such as PCI, SOX, and HIPAA. Since 2009, large enterprises have on average progressed from about 25% virtualization to 50%, and without adequate security many are unable to proceed further. And the new generation of persistent security threats, many from state agents, has only increased that need. To counter these internal and external threats, Chiu says companies need “four must haves:”

1. Access control for the virtual infrastructure,
2. Network and end-point security,
3. Configuration management to protect the highly dynamic virtualized environment, and,
4. Audit logging.

HyTrust was founded in 2009 by a combination of vitualization and data security experts and to solve this problem. Their answer is a system that confirms every action in the virtual system against business rules that are built into the system and can be customized to meet the needs of individual businesses. It can support fine-grained access control and object-level policies such as network segregation, which can be important in multi-tenancy environments. These are becoming more common as companies seek to combine formerly air-gaped physical systems such as test & dev with production.

So for instance, HyTrust can enforce policies saying that the PCI VMs can only run on specific PCI clusters and can only connect to the PCI network and be administered by the PCI group, while the test/dev applications can be managed by engineering, can only run on the test/dev network, and cannot run on PCI clusters. It can enforce two-phase authorization for some activities such as deleting production VMs or editing the business rules themselves, preventing even an internal malefactor with legitimate access to vSphere from doing serious damage.

HyTrust designed its technology to be hypervisor agnostic, Chiu said, but as a practical matter all virtual environments it has encountered so far run on VMware. It has marketing partnerships with CA technologies, VMware, Cisco Systems, RSA, Symantec, VCE, and Trend Micro. This plus its own marketing have helped it grow dramatically in the last year. In 1Q2012 it saw a 250% increase in sales over 4Q2011, and Chiu says that trend is continuing. It is driven in large part, he says, because large enterprises are moving toward virtualizing tier 1 applications and data. Its core verticals are financial services, retail, government (federal, state, and local), and healthcare, all heavily regulated areas. It is funded by $16 million in venture capital from Cisco Systems, Trident Capital, Granite Ventures, and Epic Ventures.

“Most of our sales are to large enterprises that often have both compliance and corporate governance requirements such as separation of duties, internal auditing, and the need to address breaches ranging from traditional malware to advanced persistent threats and insider attacks,” Chiu says. “Our mission is to provide the security that allows these organizations to go forward with virtualization of their tier 1 production environments with the confidence that the security is there.”