1. Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers: How to virtualize more by building a security fortress around your "in-scope virtual environment with HyTrust First in a three-part series for IS and IT professionals responsible for virtualization and data center architecture, management, and optimization1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 2012, HyTrust, Inc. www.hytrust.com1

2. Overview Meet the Experts What are the key business drivers for the virtualization securityblueprint ? Can you recommend a strategy, framework, and tools to help ussucceed with compliance audits and beyond? What cross-vendor architectures exist to help virtualize more mission-critical applications, more securely this year? What best practices and methodologies can you outline for planningand undertaking these newer virtualization security initiatives? Summary Q&A 2012, HyTrust, Inc. www.hytrust.com2 3. Todays ExpertsJustin Lute Director, Product Management - Virtualization, Cloud, andTechnology Integrations Qualys Extensively-certified, technical and business leader incloud security Strategic product, technical consulting, and engineeringroles at VCE, EMC, RSA, and more. Justin has studied at Stanford University and The OhioState University. 2012, HyTrust, Inc. www.hytrust.com 3 4. Todays ExpertsDave Shackleford SVP of Research and CTO, IANS Former consultant at Voodoo Security Author of SANS Virtualization Security and CloudSecurity courses, and SANS curriculum lead forVirtualization and Cloud Security Sybex Virtualization Security book coming in Q3 2012 Helped create and publish first virtualization securityhardening guides while CTO at Center for InternetSecurity 2012, HyTrust, Inc. www.hytrust.com 4 5. Todays ExpertsEric Chiu Eric Chiu is CEO and co-founder of HyTrust, Inc.(http://www.hytrust.com/), Vice President of Sales and Business Development atCemaphore Systems, a leader in disaster recovery forMicrosoft Exchange, Business Development at MailFrontierand mySimon Instrumental in building OEM partnerships and technologyalliances and driving new product initiatives. Formerly a Venture Capitalist for Brentwood (now Redpoint)and Pinnacle, he also served in the M&A Group forRobertson, Stephens and Company. Eric holds a BS in Materials Science and Engineering fromUC Berkeley. 2012, HyTrust, Inc. www.hytrust.com5 6. HyTrust Backgrounder Founded: Fall 2007 Headquarters: Mountain View, CA Venture Funding: $16 million Strategic Partners: Awards & Top Ten Lists: VMworld 2009 Best of Show, VMworld 2009 Gold,VMworld 2010 Finalist, TechTarget 2009 Product of the Year, RSA Innovation Sandbox2009/2010 Finalist, SC Magazine 2010 Rookie Company of the Year, Network WorldStartup to Watch 2010, InfoWorld Tech Company to Know 2010, Forbes Whos Whoin Virtualization, Red Herring 2010 North America winner, Gartner Cool Vendor 2011 2012, HyTrust, Inc. www.hytrust.com66 7. Data Center of the Future 3 year Vision Rented Cloud SaaS Application InfrastructureSelf-Service AccessIdentityandUsageConsolidation &IT as a VirtualizationService Ubiquitous Access Data CostEnd result of datacenter transformation: IT is delivered as-a-service;Role of Corporate IT is transformed from operational to control / governance 2012, HyTrust, Inc. www.hytrust.com7 8. What security concern ranks highest in importance in yourvirtualized environments heading into 2012? Lack of automation (admin is brought in for every update and change) Self service for line of businesses to access/manage their virtual machines Strength of security policies and processes around access and change controls Insider breach either malicious or errant Logging and reporting tools for audit and/or forensics purposes All of the above 2011, HyTrust, Inc. Inc. www.hytrust.com8 2012, HyTrust, www.hytrust.com 9. When are you planning your next server refresh? Next 6 months as part of a full data center re-architecture Next 6 months as standalone server refresh Next 7-12 months as part of a full data center re-architecture Next 7-12 months as standalone server refresh Greater than 12 months as part of a full data center re-architecture Greater than 12 months as standalone server refresh No server refresh planned Unknown 2011, HyTrust, Inc. www.hytrust.com9 10. Key Drivers Innovation Driving Business GoalsVirtualize MoreAnalyst research of CIO top priorities for 2012,40% picked virtualization as one of top threeAnalyst research shows market is now 52% virtualized, with many organizations goaled to be 75% virtualized by 2014. * Forrester Research CISOs Guide to Virtualization Security 2012, HyTrust, Inc. www.hytrust.com 10 11. Key Drivers - Virtualization / Cloud Security Leading IT Virtualize More Securely There will be moreBy 2015, 40% of thevirtual machines security controls useddeployed on servers within enterprise dataduring 2011 than in centers will be2001 through 2009 virtualized, up fromcombined2 less than 5% in 2010.1Virtualization increases security risk by 60%.11Gartner; From Secure Virtualization to Secure Private Clouds; Neil MacDonald & Thomas J. Bittman; 13 October 201011 2Gartner; Q&A: Six Misconceptions About Server Virtualization, Thomas J. Bittman; 29 July 2010 2012, HyTrust, Inc. www.hytrust.com11 12. Key Drivers - Business Demands More Virtualize MoreMore Securely With Less! Forrester Research CISOs Guide to Virtualization Security 2012, HyTrust, Inc. www.hytrust.com 12 13. Key Drivers - Proactively Protect and Secure Your IP87% Percentage of companies thathave experienced a data breach IT ComplianceInstitute48% Percent of all breaches thatinvolved privileged user misuse Verizon report, 201074% Percentage of breached companieswho lost customers as a result of thebreach IT ComplianceInstitute 2012, HyTrust, Inc. www.hytrust.com 13 14. Key Drivers - Proactively Protect and Secure Your IP87% Percentage of companies thathave experienced a data breach IT ComplianceInstitute48% Percent of all breaches thatinvolved privileged user misuse Verizon report, 201074% Percentage of breached companieswho lost customers as a result of thebreach IT ComplianceInstitute 2012, HyTrust, Inc. www.hytrust.com 14 15. Typical Response for Errant Insider-caused Breach 2012, HyTrust, Inc. www.hytrust.com 15 16. Key Drivers - SummaryBuild the Business CaseExternal and Internal driversDescribing What is ISO/IEC 27001?Articulating benefits Value to your intellectual property (IP) Value to Brand Value to departmental reputation and team careers 2012, HyTrust, Inc. www.hytrust.com16 17. Strategy, Framework, and ToolsScoping the Key to SuccessPlanning and Design - Understanding the environment is criticalISMS - Documented ComponentsCommunication and Setting Expectations Internally 2012, HyTrust, Inc. www.hytrust.com17 18. Strategy, Framework, and ToolsGRC Tool BenefitsISO Controls Testing (control activities)Obtain CertificationMaintenance, Surveillance, and Re-Audit 2012, HyTrust, Inc. www.hytrust.com18 19. Why Get Started Now? Jason Cornish, former Shionogi Pharma IT Staffer Plead guilty to Feb 11 computer intrusion Wiped out 88 corporate servers (VMs) email, order tracking, financial, & other services and 15 ESX hosts Shionogis operations frozen for days unable to ship product unable to cut checks unable to send email Estimated cost: $800kAll of this was accomplished from a McDonalds19 19 20. Why Get Started Now?down the road, the cyberthreat will be the number onethreat to the countryFBI Director Robert Muellerservice attacks into NASDAQ,RSA, and the IMF underscorethe vulnerability of key sectorsof the economy.""wholesale plundering" ofAmerican intellectual property.,,Director National Intelligence, James Clapper 2012, HyTrust, Inc. www.hytrust.com20 21. Best Practices and Guidance - Getting Started How To Get Started with Virtualization Security Strive for virtual security that is equal to or better than the traditional security in your environment. Consider the following: Apply the Zero Trust model of information security to your network architecture Consider virtualization-aware security solutions Implement privileged identity management Incorporate vulnerability management into the virtual server environment 2012, HyTrust, Inc. www.hytrust.com 21 22. eric@hytrust.com jlute@qualys.com dave@daveshackleford.com 2011, HyTrust, Inc. www.hytrust.com 22 23. eric@hytrust.com jlute@qualys.com dave@daveshackleford.com 2011, HyTrust, Inc. www.hytrust.com 23 24. eric@hytrust.com jlute@qualys.com dave@daveshackleford.com 2011, HyTrust, Inc. www.hytrust.com 24 25. eric@hytrust.com jlute@qualys.com dave@daveshackleford.com 2011, HyTrust, Inc. www.hytrust.com 25