Integrating visibility and security controls directly into virtual machines is helping companies enforce security policies across cloud-based application architectures, a senior VMware security executive has shared as the company ramps up the latest volley in its salvo to bring security to the data centre.
Calling the virtualisation layer the “connective tissue of the data centre” and “a natural place to insert some interesting security controls”, Jeff Jennings, senior vice president and general manager of VMware’s networking security business, told the audience at the company’s Evolve conference in Melbourne this month.
“All too often security has been a bit of an afterthought,” he said. “You build your thing and then build in the security afterwards. But that has to change: the way we build data centres is different than before. Interconnectedness is breeding more opportunity and more surface area for these types of attacks – and as applications become services and are disaggregated, all of those communication points are potential vulnerabilities.”
VMware has been steadily filling out its virtual machine (VM) management story in recent years, with its $US1.5b acquisition of AirWatch providing a platform for unifying its cloud and mobile-based environments – and tools like VMware Identity Manager providing authentication across both platforms.
Supporting these tools is an architectural conceit based on microsegmentation and ‘least privilege’ design – in which virtual resources are tightly cordoned off and given access to nothing more than the few resources they need to get their job done.
Integration of security policies at the VM level had allowed companies to build default microsegmentation controls and security protections into every VM – and preserve those controls even as the VMs are moved throughout the data-centre infrastructure.
Broader use of microsegmentation had paved the way for endpoint protection – due in the third quarter as VMware App Defence – that integrates ongoing monitoring capabilities at the VM level, providing visibility into the activities of each machine and giving administrators the ability to query and isolate any unusual activity.
This approach allows administrators to create a “virtuous cycle” that enables transformation of the security posture, Jennings said. “This gives you a chance to update your security controls, have them enforced across the entire environment, and close down the network very specifically if there is suspicious behaviour such as a new process, or an old process that communicates in a way that we don’t expect it to.”
Better security controls may seem esoteric but they set the stage for fulfilment of broader corporate objectives that are crucial for business survival, Jennings said. These include modernising the corporate data centre, empowering digital workspaces, and embedding security throughout the corporate infrastructure.
Ultimately, these objectives feed the even broader requirement for brand protection – which is in itself driven by the company’s ability to assure customers that their data is protected during dealings with the company. This is particularly important given the seamless crossover between mobile and fixed worlds, which presents complexities for data management that customers don’t want to have to deal with.
It also supports governance, regulatory and compliance (GRC) objectives that are becoming even more important as looming Notifiable Data Breach (NDB) and EU GDPR requirements hold Australian companies of all sizes to new levels of accountability in 2018 and beyond.
Data breach legislation is “the big unknown” with uncertain results this early in the game, said Nigel Phair, managing director of the Centre for Internet Safety during his Evolve presentation. And this, he said, directly affects companies’ ability to position their brands as trustworthy – providing further motivations to build security into every part of the computing infrastructure.
“When you’re starting to sell yourselves within your organisational community, you want to bake security into everything you do,” he said. “The value proposition of your organisation – and, indeed, getting staff to work for you – is a good, safe, online environment. Being a resilient organisation is really going to be your internal value proposition on how you react and respond.”
That response reflects the three main business outcomes that Jennings identified as critical for every organisation: business agility and innovation, providing an “exceptional” mobile experience, and protection of brand and customer trust.
“You can do a great job on the first two but if you do poorly on the last one, your business is not going to thrive,” he said. “Having that virtualisation layer can really lift all of your security boats at once.”
“Because it’s consistent and managed from a central place, it’s very easy to apply centralised security across your environment. And if you think about security from the beginning, you don’t have to go back and think about it after everything is in place.”
Read more: CSO Online Survey – Terms & Conditions