Securing Converged Infrastructures to Achieve Mission Success
INDUSTRY PERSPECTIVE
For more than a decade, federal agencies have deployed virtualization technologies to deliver greater service levels to their programs and maximize utilization of IT resources in data centers. Now, many agencies are bringing converged infrastructures – which combine computing, storage and networking in a single package – into these virtualized environments to simplify IT management and reduce costs. At the same time, federal managers are wondering how they can mitigate risks in these increasingly multi-tenant environments and utilize FedRAMPcompliant technologies to successfully forge a path toward the cloud. In this industry perspective, GovLoop has partnered with Merlin International, NetApp and HyTrust to share the value of secure converged infrastructures in government.
2 • Industry Perspective
What is Driving the Need for Convergence? Converged infrastructures are helping federal IT managers pave the path to more flexible next-generation data centers. By utilizing infrastructures combining storage, server and networking components along with management software into a single computing package, agencies can reduce the amount of physical hardware required to run their IT operations, as well as power and cooling costs. What’s more, converged infrastructures can enable faster deployment of workloads, help increase system performance and availability and boost automated operations, resulting in IT that is easier to manage and less costly to own and operate. As federal data center managers seek to reap the benefits of converged infrastructures, however, they must ensure the security of application and database workloads in the virtualized environments. Converged infrastructures enable data center managers to consolidate multiple physically stove piped or independent workloads and host them on the same physical infrastructure.
Although this capability reduces the overall cost of implementing a data center, it comes with the added challenge of securely managing data belonging to different workloads and tenants in a multi-tenant and cloud-based data center environment. Data center managers must securely isolate tenants at the network, compute and storage layers of these emerging converged infrastructures, and deploy tenant-level encryption that protects against insider threats. “Increasingly, converged infrastructures are used to host applications from distrustful or competitive program offices in the same virtual environment, and that is driving the need for more fine-grained cybersecurity at the hypervisor level,” said Mark Zalubas, Vice President of Engineering with Merlin International, a provider of system integration services and solutions that help federal agencies agencies overcome challenges and achieve mission success.
Hypervisors, the Security Achilles Heel For the better part of a decade, government agencies have been utilizing virtualization technologies to maximize IT resources and deliver greater service levels to their workforce. Virtualization uses software to simulate the existence of hardware and create a virtual computer system. This capability allows organizations to run more than one virtual system – as well as multiple operating systems and applications – on a single server. A thin layer of software called a hypervisor decouples the virtual machines from the host and dynamically allocates computing resources to each virtual machine as needed. And therein lies the problem. Putting multiple virtual machines onto a single physical server can be risky. If attackers can penetrate the hypervisor or virtual machine monitor – which is the software that orchestrates the whole virtual environment – they can take control of every virtual machine under its control, and all the data stored on them. After all, a hypervisor is software, and software has vulnerabilities that can be exploited by those with malicious intent. “With the hypervisor in the mix, you need to secure the overall converged system and place significant emphasis on the fact that these platforms are being shared,” Zalubas said.
“The major intrusion protection and data loss prevention security tools, however, do not reach down into the data center and data center management level to adequately secure converged virtual infrastructures,” said Bill Aubin, Vice President of Federal for HyTrust, a leading provider of workload security solutions for multi-cloud infrastructure. “There are really a couple of pieces that have to be addressed when you talk about security in a converged or hyper-converged environment. And by pieces, we mean groups of people,” Aubin added. “First, there is the virtual administrator. Few security technologies reach down to the virtual administrator level and put any controls there,” Aubin noted. “Another area of concern is data geofencing or data sovereignty, where stringent requirements dictate that U.S. government data cannot be stored on servers or systems out of the country. This concern is prevalent now that data is stored in virtual cloud infrastructures. So, agencies want to make sure applications are running in specific places on trusted platforms.”
Securing Converged Infrastructures to Achieve Mission Success • 3
Case Study: Converged Solution Strengthens Healthcare Agency Security Merlin International – along with its partners NetApp and HyTrust – helped a federal healthcare agency achieve that level of trust in a converged infrastructure while bringing the agency’s hypervisor layer into compliance with federal security requirements. The Flexpod Datacenter with HyTrust DataControl and CloudControl provided the agency with complete virtual stack protection, visibility and control, multi-tenancy administrator protection and automated compliance with federal security requirements. “This particular healthcare agency had a highly virtualized environment running a plethora of different security applications,” said Natalie Rabinovich, systems engineer with NetApp. “One of the problems they had was scaling and securing those applications. They still required the manageability and usability of their existing environment, but it didn’t scale as well as they wanted it to, and they also needed to address the security concerns,” Rabinovich said. Scalability is an essential evaluation criterion for agencies assessing converged solutions for Federal Risk and Authorization Management Program (FedRAMP) readiness. FedRAMP is a government-wide
4 • Industry Perspective
program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. This healthcare agency is part of the Trusted Internet Connection (TIC) environment, and must continuously monitor all the network traffic coming in and going out of the agency. Trusted Internet Connections is a mandate from the Office of Management and Budget (OMB) to reduce the number of internet gateways on the federal government network and ensure that all external connections are routed through a government agency that has been designated as an approved TIC Access Provider. Healthcare agency managers also wanted to create a pathway to a cloud computing environment and needed to comply with government information system and cloud security controls outlined by the National Institute of Standards and Technology in Special Publication 800-53 and mandated by FedRAMP.
“This healthcare agency had their virtualization services and their security services in place. But with this joint solution, they can take those services and extend them to wherever the data resides, and further to wherever they need the data to reside.” Natalie Rabinovich Systems Engineer , NetApp
FlexPod Datacenter with HyTrust CloudControl and DataControl is FedRAMP-ready for moderate-level security. This means that the platform comes with 40 percent of the NIST security controls out of the box. Additionally, the NetApp Verified Architecture (NVA) program offers users a validated architecture for NetApp solutions with NetApp solution architecture that is thoroughly tested, prescriptive in nature and accelerates customer time to market. The various components of FlexPod Datacenter enhanced with HyTrust security and encryption addressed the healthcare agency’s security and compliance requirements. FlexPod Datacenter has Intel’s Trusted Platform Module (TPM) built into its motherboards. Intel’s Trusted Extension Technology (TXT) uses TPM and cryptographic techniques to provide measurements of software and platform components so that system software, as well as local and remote management applications, may use those measurements to make trusted decisions. This technology is based on an industry initiative by the Trusted Computing Group (TCG) to promote safer computing. It defends against software-based attacks aimed at stealing sensitive information by corrupting system or BIOS code, or modifying the platform’s configuration. TPM is basically firmware that allows HyTrust to build hooks into its security hardware so it can determine if virtual machines or virtual desktops are in a trusted environment with TPM modules. FlexPod combined with HyTrust hardware creates an environment for organizations, such as the healthcare agency, to create logical separations of workloads and control who has authorized access
to applications in a multi-tenant infrastructure including virtual administrators. Moreover, they can determine which virtual machines (virtual servers and virtual desktops) can run on Cisco Unified Computing System servers using the FlexPod architecture. FlexPod Datacenter is a predesigned, data center architecture built on Cisco Unified Computing System, Cisco Nexus Family of switches and NetApp fabric-attached storage. FlexPod is tailored to be the backbone infrastructure of various public-private, hybrid-cloud environments. “FlexPod was designed to support multi-tenancy and diverse workloads,” Rabinovich noted. Each tenant has its own virtual machine. They can set their unique profiles, manage their own network resources and have their own storage. FlexPod has security capabilities, such as role-based access and audit logging. But with HyTrust, FlexPod has been enhanced to meet NIST/FedRAMP security controls and security is extended to wherever the data may sit. “This healthcare agency had their virtualization services and their security services in place. But with this joint solution, they can take those services and extend them to wherever the data resides, and further to wherever they need the data to reside,” Rabinovich said. HyTrust CloudControl provides granular role-based access control, so administrative functions can be easily set to control permissions on a virtual object level. The appliance is a secure, hardened operating system built on the CentOS platform. CloudControl serves as a proxy to the VMware vCenter management platform and enhances the platform with forensic-grade logging, automated compliance and advanced administrative controls.
Securing Converged Infrastructures to Achieve Mission Success • 5
Encryption Anywhere HyTrust DataControl provides encryption of virtual machine data while it is in motion and at rest. Data Control is FIPS 140-2 certified and the key control server is a virtual appliance that can be deployed in a high-availability configuration. The solution includes three critical components: key control, policy engine and policy agent.
Here, the technology must have a little bit more layering. So HyTrust encrypts the virtual machines, the workloads and the virtual desktops, whether they’re on premise in the data center or moved to the cloud.
Administrators can configure or modify encryption policies through the policy engine; the policy engine then collects the rules for the key controller. The key controller in turn makes sure that the policy agent (which resides in the VM/workload) executes on these policies by managing encryption key creation, renewals and destruction.
When the virtual machine is encrypted, the decision whether to decrypt the VM is based on the underlying data center hardware that utilizes Intel TXT for hardware tagging via the TPM. If the virtual machine moves into the cloud, the control of decryption is managed by the encryption key which must be provided to access the virtual machine’s data. HyTrust provides much more policy control for virtual machine data and the use of encryption technology than simply encrypting hard drives which might be circumvented by simply moving drives.
Hardware-based encryption on the converged infrastructure is not enough in today’s world of hybrid cloud infrastructures, HyTrust’s Aubin said. Once workloads are moved into public clouds, such as Amazon Simple Storage Service, Microsoft Azure or IBM Soft Layer, the data is no longer encrypted. Hard drive encryption in the FlexPod systems does not follow the workload as it’s moved around the enterprise, or moved to the cloud. With Data Control, the workload is encrypted no matter what system or cloud it is moved to. If the hard drive is encrypted in the FlexPod system as soon as it is moved into the cloud, it is no longer encrypted.
When the virtual machine is encrypted, the decision whether to decrypt the VM is based on the underlying data center hardware that utilizes Intel TXT for hardware tagging via the TPM. If the virtual machine moves into the cloud, the control of decryption can be controlled by the encryption key, which must be provided to access the virtual machine’s data. HyTrust provides much more policy control for virtual machine data and the use of encryption technology than simply encrypting hard drives, which might be circumvented by simply moving drives.
Conclusion The move to virtualization as well as private, public and hybrid clouds has been ongoing in the public sector – federal, state and local governments – for nearly a decade. Converged IT infrastructures help agencies grapple with federal mandates to reduce and optimize data centers and migrate to more agile (and hopefully more efficient) cloud environments, as long as they are properly secured. Agencies looking to migrate to a public, private or hybrid cloud environment while meeting federal security requirements will benefit from a solution and approach that provides enhanced security, reduced cost of ownership and improved scalability. 6 • Industry Perspective
About Merlin International
About HyTrust
Merlin International is a leading provider of world-class system integration services and solutions that enable the U.S. Federal Government to better meet mission requirements and challenges. By combining a broad portfolio of best-of-breed information technology solutions with deep expertise and experience building and implementing solutions with quantifiable return on investment and long term sustainability, Merlin is preparing our Government for the future. Our core competencies are Cybersecurity, Infrastructure and Network Operations, and Enterprise Applications. The company is headquartered in Englewood, CO, with federal operations in Vienna, VA.
HyTrust’s mission is to make private, public and hybrid cloud infrastructure more trustworthy for enterprises, service providers and government agencies. HyTrust provides solutions that automate security controls for software-defined computing, networking and storage workloads to achieve the highest levels of visibility, granular policy control and data protection. HyTrust customers benefit from being able to accelerate cloud and virtualization cost savings while improving their security posture by automating and enforcing security policies in real time, adapting quickly to compliance requirements, and preventing unplanned outages. To learn more, visit www.hytrust.com.
To learn more, visit www.merlin-intl.com.
About NetApp
About GovLoop
Government agencies of all levels count on NetApp for software, systems, and services to manage and store their most important asset, their data. With solutions ranging from data protection and recovery to cloud computing, data analytics, and flash solutions, NetApp has become government customers’ top choice for key technologies that drive data center transformation. Top counties, cities, and states count on NetApp and value our teamwork, expertise, and passion for helping them succeed now and into the future.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering crossgovernment collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
For more information, visit www.netapp.com.
For more information about this report, please reach out to info@govloop.com.
Securing Converged Infrastructures to Achieve Mission Success • 7
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 | F: (202) 407-7501 www.govloop.com @govloop
8 • Industry Perspective