How is the ESX/ESXi hypervisor layer secured by the use of PowerBroker?
PowerBroker provides delegated, policy controlled privileged access to privileged accounts at both the hypervisor level (the ESX COS or the ESX/ESXi VMA) and to any UNIX/Linux virtual machines. Using PowerBroker, an administrative user can be provided access to a privileged account at the hypervisor level or inside a virtual machine, and can be managed by policy to perform only the certain actions or commands that are appropriate to the functions he/she needs to accomplish.
The security of the ESX/ESXi hypervisor environment is improved when work done in this layer is performed by non-root (but authorized) users, and delegated as privileged processes and logged through the use of PowerBroker. When PowerBroker is used in the hypervisor layer, control, accountability, and traceability is maintained when the hypervisor command line interface (CLI) layer is accessed. Thus, the ESX/ESXi hypervisor layer is secured by PowerBroker through careful delegation of privileged processes to non-root and authorized users.
Can a non-root, but authorized, user be prevented from executing a command with an undesirable consequence?
When PowerBroker is used to monitor the command line interface (CLI) of the ESX/ESXi hypervisor layer, a non-root but authorized user can be granted commands appropriate for the security level of the work that needs to be performed. More privileged commands can be delegated to more privileged users, thus improving and preserving the security of the ESX/ESXi hypervisor layer.
Should a root shell be granted to an authorized user in the ESX/ESXi hypervisor layer?
Root shells should not be delegated to everyone and should be carefully monitored whenever access is given to an authorized user. This should not be delegated for convenience, but delegated instead based on necessity and the requirement of the work that needs to be completed. PowerBroker provides all the required tools for monitoring users granted root shell privileges.
Is there an operational vulnerability in the ESX/ESXi hypervisor that PowerBroker secures?
When both VMware’s and BeyondTrust’s best practice suggestions are adhered to, and PowerBroker is used as the gatekeeper for the command line interface, the security of the ESX/ESXi hypervisor layer is enhanced and easily managed as PowerBroker provides the necessary control and indelible audit trail of work done through this interface in the ESX/ESXi hypervisor layer.
Can’t the virtual machine vulnerability be addressed by using encrypted file systems on the virtual machines?
Yes. If the file systems of the virtual machine are encrypted and the encryption key is not available to the user logged into the hypervisor, then the ability to mount and read data from the drives is removed.
Doesn’t disabling root access to the COS by Secure Shell (SSH) remove this vulnerability?
The virtual machine vulnerability can be exploited by a hypervisor user on the system console as well as through a remote SSH session. Disabling SSH root access does improve the situation as it requires physical access to the system console, and most IT organizations have good controls in place to limit physical access to the important hosts. However, consider that the administrative users that have the skill set to exploit the virtual machine vulnerability are also the same users that typically have physical access to the system console.
Is BeyondTrust a VMware partner?
Yes. BeyondTrust is an independent software vendor (ISV) supporting VMware and a member of VMware’s Technology Alliance Partner Program.
How is PowerBroker Virtualization different from HyTrust?
PowerBroker and the HyTrust Appliance each manage the security of virtual infrastructures, but each covers different parts of the problem. In many ways, the two solutions are more complementary than competitive. The HyTrust Appliance provides configuration management and access control for VMware environments and can provide controls to keep the virtual environment configured correctly. It can also provide simple access control to privileged accounts at the hypervisor level.
PowerBroker, as previously mentioned, provides delegated, policy controlled privileged access to privileged accounts at both the hypervisor level (the ESX COS or the ESX/ESXi VMA) and to any UNIX/Linux virtual machines. Using PowerBroker, an administrative user can be provided access to a privileged account at the hypervisor level or inside a virtual machine, and can be managed by policy to perform only the certain actions or commands that are appropriate to the functions he/she needs to accomplish.
How does PowerBroker Virtualization operate in heterogeneous virtualized data centers?
Yes. One of the strengths of BeyondTrust’s PowerBroker products is the coverage we provide for a larger number of virtualization environments and virtual machines. PowerBroker provides certified support for ESX/ESXi, Solaris Zones and Containers, AIX WPARS, z/VM Linux, IBM VIO Server and most major variants of UNIX and Linux running as virtual machines. PowerBroker can also be used to manage virtualization technologies running on supported platforms, such as Xen, Xen Server, Oracle VM and KVM running on Linux.