It’s worth to remember that HyTrust sits between the VMware management interfaces (vCenter Client, ESX SSH and web management interfaces, vCenter and ESX APIs) as a transparent proxy that enforces authentication, authorization and corporate policy.
Every time a vSphere administrator tries to issue a command, his request is intercepted by the HyTrust appliance that sits in the network: the engine checks authentication credentials first, it verifies that the administrator is in a user group allowed to interact with the virtual infrastructure entities that he’s trying to manipulate, and then it verifies if the desired action is allowed on those entities.
If not, HyTrust doesn’t move forward the command and returns to the vSphere management interfaces a customizable warning, saying that the desired action is denied.
Version 2.0 introduces some remarkable new features:
While a single appliance can already protect multiple vCenter Servers and ESX hosts, this new version ensures that the same security policy, defined in a single appliance, is automatically replicated to all the others in the infrastructure. This guarantees a consistent set of rules across geographically-wide virtual infrastructures.
- Object Policy Labels
Administrators can assign to every element of the virtual infrastructure a security label. A HyTrust policy can be created to only permit the interaction between elements that have the same label.
Depending on how these labels are assigned, the feature allows to define virtual segmentations and block operations between elements that have different security levels.
- Root Password Vault
HyTrust can map the ESX root user privileges to another account for a limited amount of time. This allows administrator to never expose the root username and password.
The appliance now includes a commercial-grade search index which can be used to find HyTrust logs, users and policies, as well as all the elements of a vSphere infrastructure.
- Remote APIs
To simplify the deployment and the physical network reconfiguration, the 2.0 appliance can act as the default gateway for the vCenter Server and the ESX/ESXi hosts. It will route the traffic between the management subnet and the standard LAN networks.
Like the previous release, version 2.0 is available in multiple editions, including a free Community Edition that protects up to 3 hosts.
Some of the features that HyTrust offers today will become increasingly important in private and public cloud computing infrastructures. It’s not a surprise that Cisco is investing in the company.