With increasing concerns over data security and virtualized mission critical workloads, VMware security systems provider HyTrust has come up with a secondary approval solution, which delays the actions taken by administrators until external approval for a particular action is granted. The solution enforces the “two person rule” for high impact administrative operations so that virtual data centers can be kept productive, secure, and compliant with regulations.

“Such precautions are increasingly necessary because today’s virtual environments pose a concentration of risk. Servers, networking, storage used to be separate physical systems and they all had their separate configurations and experts to manage them. That has all been collapsed to a single software layer, with a single management console where any administrator can access any resource. Ultimately, that creates security and compliance issues,” said Eric Chiu, President and Co-founder of HyTrust.

There might be several operations for which secondary or two-person approval if required. A simple case is where a contractor occasionally clones the virtual machine (VM) that hosts the enterprise email server in order to test patches and upgrades. The enterprise wants to ensure that the contractor cannot clone the VM for any other reason.
HyTrust announced this update to its flagship HyTrust Appliance at VMware’s VMworld conference, going on in San Francisco. HyTrust Appliance monitors and controls the employee use of virtual machines (VMs) that run on VMware’s ESX and ESXi hypervisors, as well as oversees administrative use of the VMware vSphere management console. In addition, it blocks execution and tells the user that Secondary Approval has been requested for the operation.

Simultaneously, it alerts an approver group that a user request requires review, and provides the details of the request. When an approver makes a decision, HyTrust Appliance notifies the user and – if the request is approved – gives the user an approver-defined window of time in which to execute the approved operation.
Simply put, it helps prevent the theft of a VM that contains confidential information, the willful destruction of an entire virtual data center, or the misconfiguring of a VM tenant.

HyTrust Appliance 3.5 also includes a new monitoring mode, which allows an administrator to log how VMs are used before applying policies to their use. The appliance logs all activity, without enforcing any rules.
According to HyTrust, the Appliance now has three times as many server configuration security checks and remediation operations than before. HyTrust Appliance 3.5 is now available, and its Enterprise Edition costs US$1,050 per CPU socket for each ESX or EXSi host, as well per $30,000 per appliance.