​Security: Architecture vs Sprawl

VMWare CEO Pat Gelsinger says we live in a “state of compromise” where what the business sees as critical is different to what CISOs see as important. When CEOs were asked what most needed to be protected from attacks, they answered reputation. CIOs and CISOs, on the other hand, pointed to regulated data as the most important thing to protect.

Similarly, when the two groups were asked what the business priorities were, the CEO focussed on growth whereas the CISO had their eyes on protection – something that barely made the CEO’s list of priorities.

Because of these differences security is often an afterthought in many organisations even though budgets for cyber protection continue to grow. There has been investment in many different tools in an attempt to secure the ever-burgeoning proliferation of platforms and devices modern enterprises have acquired.

As a result, Gelsinger says we lack a true architecture for security. While everyone has policies, there’s an inability to align those polices with all of the different tools and options that are available to manage security.

Not surprisingly, as the head of VMware, he says we should be using “a ubiquitous layer of virtualisation” to secure rather than asking how to secure virtualisation. He sees virtualisation as a way of providing the glue between applications and security tools.

By using virtualisation to segment applications, it’s possible to create an architecture that supports better security.

It would support least privilege, detection through the virtualisation layer being able to “understand” the context of an applications activity and through automation of how a virtual machine is created deployed and closed.

Distributed Network Encryption (DNE) is a new VMware technology, announced at RSA Conference 2016 by Gelsinger during a keynote address. This new system allows operators to choose a network segment through a GUI and then encrypt all traffic between all devices on that segment. This includes hashing data at both ends of a transaction.

In addition, DNE takes advantage of newly introduced on-chip encryption added in new Intel processors called AES-NI – a technology Gelsinger was involved in developing when he worked at Intel. This way, the encryption doesn’t significantly impact the performance of any one system as it’s offloaded to the on-chip encryption capacity CPU of multiple hosts

Read more: ​Quantifying risk: Closing the chasm between infosec and cyber insurance

During a scripted live demonstration, Gelsinger and his team showed how this works with a “before and after” scenario. This started with a “hacker” intercepting banking credentials and altering data within a banking database so that the perpetrator’s mortgage was magically cleared.

Then, a network administrator used DNE to encrypt the vulnerable network segment with just a few mouse clicks.

The same process was then repeated but the hacker’s access to the systems was blocked at the connections they were using previously were now encrypted.

Granted, this was a scripted demonstration but the functionality looked very powerful.

Read more: ​Security leadership and the role of AI

As well as working within a network, attendees of the keynote saw the same encryption applied to machines hosted on Amazon Web Services connected to the encrypted network segment. And it wasn’t only traffic that was protected – storage could be added to a network segment that was protected by DNE.

It seems logical that virtualisation will be deployed extensively in order to manage the proliferation of devices and platforms that is plaguing the security industry. Certainly, during RSA Conference 2016, this has been a recurring theme as many speakers have noted the need to simplify the technology stack.

Too many security solutions have been deployed, each addressing a specific point of vulnerability. What Gelsinger and his team showed was the potential to simplify the deployment of an enterprise-wide encryption system with a virtualisation layer that forms a connective fabric between infrastructure and security tools.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags VMwareArchitectureCISOssprawl#RSACCSO AustraliaRSA Conference 2016DNE​SecurityCEO Pat Gelsinge

More about Amazon Web ServicesIntelRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Anthony Caruana

Latest Videos

More videos

Blog Posts