Eric Chiu, co-founding father of HyTrust, says cloud operations would require “layered security” and encrypted virtual machines when at rest.

Much was written recently about how willing enterprises are emigrate a number of their operations into the cloud. That move to the cloud would proceed much faster if security weren’t still an overpowering worry and consideration.

In the second one half 2013, Forrester Research conducted its usual Forrsights Hardware Survey and located enterprise hardware buyers greater than willing to utilize cloud servers, but they were limiting their use as a result of unresolved concerns over security. In that survey, 73% of IT decision makers were considering public cloud security, and 51% were thinking about their very own private cloud security.

The cloud now represents not just concentrations of compute power and storage, but in addition a concentration of security, given the possibility of mischief or disaster if those centralized resources fall into the inaccurate hands. Whether it is a private cloud within the virtualized enterprise datacenter or a public cloud, new levels of “layered” security might want to be inbuilt. Furthermore, such security might want to operate in a highly automated fashion and be driven by well-crafted and relentlessly applied policies, said Eric Chiu, president of HyTrust, in an interview prior to the RSA Security Conference in San Francisco this week.

Chiu is co-founding father of HyTrust, founded in 2009 with the categorical purpose of specializing in the hot and rapidly evolving virtual environments. VMware, Citrix Systems, and Cisco Systems, which all had a stake in keeping virtual machines safe, were among its early investors. Intel Capital joined in a 3rd round of financing last August that brought the Mountain View, Calif., firm another $18.5 million. Chiu says its primary focus has moved beyond the hypervisor and VM environment to securing cloud operations, with several initiatives underway to make it an innovator in “layered” cloud security.

[Think virtualized production systems stand little risk of being deleted? Better examine the ill-tempered Jason Cornish affair. Virtualization Security: Nobody Product Does All of it.]

Chiu says he subscribes to a commonly held view that more data within the virtualized cloud should be encrypted when stored, including the VM itself. However the popular references to “2014 because the year of encryption” don’t mean the private and non-private cloud, with more encryption, can be secure. It’s going to take greater than that. The cloud must monitor both its low-level users and privileged, empowered operations managers and impose on them secure practices in a fashion that forestalls a single person from copying sensitive data, as Edward Snowden did on the NSA, or maliciously deleting production VMs.

HyTrust made its first acquisition, HighCloud Security, in November for an undisclosed amount, giving it new encryption capabilities. Virtual machines often run just a few hours an afternoon when needed, then are shut down by their owners to reduce hourly charges. Of their sleeping state, the info they dropped at disk drives or databases is usually stored with automated encryption. Chiu says the software that features the VM itself, its copy of an operating system, and the applying running inside must also all be encrypted at rest.

“By mid-year, we’ll take encryption to the virtual machines themselves” as opposed to merely encrypting sensitive data sent to storage,” he said. HyTrust is currently busy integrating HighCloud’s capabilities into its product line.

Another portion of enhanced security within the cloud will be protecting the encryption keys used to unlock the VMs and their data. HighCloud offers a method for enterprise IT managers to secure and protect the encryption keys outside the cloud where the VMs are running, setting another barrier to potential attackers.

HyTrust’s Appliance already provides policy-driven supervision of system administrators and other cloud infrastructure managers, assigning them a job and privilege level that restricts the types of actions they are able to take. It monitors their actions and tests the activities it sees in cloud software events to make sure the man executing them has the proper privilege level. By mid-year, HyTrust will build into that system a capability to impose a “two-man rule,” that forbids copying, major changes, or deletions of production VMs by one system admin without the approval of another.

Through its integration with Microsoft’s ActiveDirectory, HyTrust Appliance too can authenticate cloud users and assign them proper privilege levels. It monitors all activity that is affecting host-server hypervisors, inspecting code the hypervisor will run. Within the process, its Appliance log file creates an audit trail that results in the intruder or malicious insider who’s trying to make unauthorized changes. The sort of system would have quickly spotted Snowden’s copying activity, said Chiu.

There’s one more safeguard, propelled partly by Snowden and the revelations about NSA snooping, with the intention to become available as a cloud security feature by mid-year, and that’s the reason “geo-fencing” data. Britain, Germany, France, The Netherlands, and other countries have laws governing the privacy in their citizens’ data and where it can be stored. In Germany, routine business and other normal data that originates inside the country’s boundaries have to be stored in Germany.

Data-location compliance is made more challenging by the tendency of virtualized environments, as they strive for optimum utilization of resources and lower costs, to head VMs around, putting them on powerful servers in the course of their peak demand and consolidating them with other VMs as traffic winds down.

Soon, Chiu said, it won’t be uncommon for a VM to be moved 10 times during the business day, and all of its security policies and access controls must move with it.

HyTrust can have the means to spot data and, through automated policies, make sure that location restrictions are met. Occasionally, government agencies or healthcare institutions have policies that data they originate must stay within their very own datacenters. The geo-fencing mechanism will make certain they’re compliant.

Only when user and administrator supervision, encryption, and attached safety features are fully automated for every cloud workload will the cloud have the required layers of protection to make it a safe place.

“That’s where we’re focused now, automated policies and security for the cloud,” he said. So long as key measures remain human based, time and operations-staff limits ensure that mistakes could be made and breaches will occur. With the purchase of HighCloud, HyTrust is a corporation with 75 employees dedicated to the problem. And VMware, Cisco and Intel are banking on it to maintain the cloud safe.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement on the InformationWeek Conference and Elite 100 Awards Ceremony, to be held at the side of Interop in Las Vegas, March 31 to April 1, 2014. See the overall agenda here.

Charles Babcock is an editor-at-large for InformationWeek, having joined the publication in 2003. He’s the previous editor-in-chief of Digital News, former software editor of Computerworld and previous technology editor of Interactive Week. He’s a graduate of Syracuse … View Full Bio

More Insights