​Security: Architecture vs Sprawl

VMWare CEO Pat Gelsinger says we live in a “state of compromise” where what the business sees as critical is different to what CISOs see as important. When CEOs were asked what most needed to be protected from attacks, they answered reputation. CIOs and CISOs, on the other hand, pointed to regulated data as the most important thing to protect.

Similarly, when the two groups were asked what the business priorities were, the CEO focussed on growth whereas the CISO had their eyes on protection – something that barely made the CEO’s list of priorities.

Because of these differences security is often an afterthought in many organisations even though budgets for cyber protection continue to grow. There has been investment in many different tools in an attempt to secure the ever-burgeoning proliferation of platforms and devices modern enterprises have acquired.

As a result, Gelsinger says we lack a true architecture for security. While everyone has policies, there’s an inability to align those polices with all of the different tools and options that are available to manage security.

Not surprisingly, as the head of VMware, he says we should be using “a ubiquitous layer of virtualisation” to secure rather than asking how to secure virtualisation. He sees virtualisation as a way of providing the glue between applications and security tools.

By using virtualisation to segment applications, it’s possible to create an architecture that supports better security.

It would support least privilege, detection through the virtualisation layer being able to “understand” the context of an applications activity and through automation of how a virtual machine is created deployed and closed.

Distributed Network Encryption (DNE) is a new VMware technology, announced at RSA Conference 2016 by Gelsinger during a keynote address. This new system allows operators to choose a network segment through a GUI and then encrypt all traffic between all devices on that segment. This includes hashing data at both ends of a transaction.

In addition, DNE takes advantage of newly introduced on-chip encryption added in new Intel processors called AES-NI – a technology Gelsinger was involved in developing when he worked at Intel. This way, the encryption doesn’t significantly impact the performance of any one system as it’s offloaded to the on-chip encryption capacity CPU of multiple hosts

Read more: ​Quantifying risk: Closing the chasm between infosec and cyber insurance

During a scripted live demonstration, Gelsinger and his team showed how this works with a “before and after” scenario. This started with a “hacker” intercepting banking credentials and altering data within a banking database so that the perpetrator’s mortgage was magically cleared.

Then, a network administrator used DNE to encrypt the vulnerable network segment with just a few mouse clicks.

The same process was then repeated but the hacker’s access to the systems was blocked at the connections they were using previously were now encrypted.

Granted, this was a scripted demonstration but the functionality looked very powerful.

Read more: ​Security leadership and the role of AI

As well as working within a network, attendees of the keynote saw the same encryption applied to machines hosted on Amazon Web Services connected to the encrypted network segment. And it wasn’t only traffic that was protected – storage could be added to a network segment that was protected by DNE.

It seems logical that virtualisation will be deployed extensively in order to manage the proliferation of devices and platforms that is plaguing the security industry. Certainly, during RSA Conference 2016, this has been a recurring theme as many speakers have noted the need to simplify the technology stack.

Too many security solutions have been deployed, each addressing a specific point of vulnerability. What Gelsinger and his team showed was the potential to simplify the deployment of an enterprise-wide encryption system with a virtualisation layer that forms a connective fabric between infrastructure and security tools.

Join the CSO newsletter!

Error: Please check your email address.

Tags DNEArchitecture#RSACCISOsCEO Pat Gelsinge​SecuritysprawlRSA Conference 2016CSO AustraliaVMware

More about Amazon Web ServicesIntelRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts