VMware Cloud Foundation Hyperconverged Infrastructure VMware Validated Designs (VVD)

Data Center Security Architecture and Workload Protection with VMware Cloud Foundation

In our previous blog post in this series – The Current State of Private Cloud Security – we discussed the relevance of a stronger, more proactive stance when it comes to security architecture. We covered how current threats are becoming more targeted and better at overcoming classic security methods, and how VMware Cloud Foundation is the differentiated solution that deploys a software-defined datacenter with security at the heart of it.

In this second iteration of our blog series we will go deeper into the practicalities of workload security and how customers can achieve intrinsic security by leveraging Cloud Foundation’s native security environment.

From Perimeter Security to Micro-segmentation

Micro-segmentation is an evolution of networking security that allows security architects to design and divide the data center based on specific security segments rather than default network segment. 

The fundamental constraints of traditional, perimeter-centric security architecture impact both security posture and application scalability in modern data centers. For example, hair-pinning of traffic through physical firewalls at the perimeter of the network creates an extra latency for certain applications. 

With perimeter firewalling, however, it quickly becomes cumbersome to prevent access within the same network segment. This makes it possible for cyber attackers to take advantage of a potentially breached machine in order to spread the damage further (illustrated below), meaning that one entry point is sufficient to create havoc in the infrastructure.

Preventing Lateral Spread and Implementing Zero-Trust With Micro-Segmentation

What micro-segmentation changes is that security architects can now divide the datacenter into distinct security segments down to the individual workload level. This allows for the creation of security controls that deliver specific services for each segment. Instead of relying on multiple physical firewalls, or even their virtualized counter-parts, micro-segmentation can be used to protect every virtual machine (VM) and container in the enterprise network. 

As we witnessed previously, in the absence of micro-segmentation, threats can easily spread within network segments. The example below leverages a perimeter security architecture, meaning that traffic has to travel from the machines back to the perimeter firewall to be allowed in and outside of their segments but are free to interact with other machines in the same segment. Once the monitoring VM (which is traditionally connected to numerous workloads in any enterprise datacenter) has been infected, it can easily spread to many other workloads in the datacenter. 

When deploying micro-segmentation, the architecture demands a group-based policy, zero-trust security architecture where rules are applied granularly based on access requirements. In the event of a breach of a specific machine, the breach remains contained, and the machine quarantined as a result of existing security policies. Additionally,  security is now applied locally, on a per-machine basis. Because security policies are applied to separate workloads, micro-segmentation can significantly bolster a company’s resistance to attack.

Ransomware and lateral movement of threats make east-west the new battleground just like in the illustrations above. Micro-segmentation allows for a smooth migration to zero-trust security that is easy to deploy and most importantly introduces automation as part of the security architecture. VMware Cloud Foundation leverages the NSX Distributed Firewall to offer a software-delivered, distributed security architecture that centers on workload protection and zero-trust while reducing overall costs.

Takeaways and Taking Security Further

Micro-segmentation redefines data center security by creating “demilitarized zones” for security within the private data center and across multiple data centers. By tying fine-grained security policies to individual workloads, micro-segmentation software limits an attacker’s ability to move laterally through a data center, even after infiltrating the perimeter defenses.

In the next blog in the series, we will focus on the tenets of a successful implementation with VMware Cloud Foundation. Implementing micro-segmentation comes in four key steps:

  1. Application discovery – The importance of visibility and observability
  2. Dynamic security group creation – Who and how should be segmented based on the information from the application discovery step
  3. Security policy creation – How to create a scalable security policy and how to leverage automation and orchestration for maximum efficiency
  4. Security policy enforcement – How to ensure that the newly minted security rules are enforced and executed


Leave a Reply

Your email address will not be published. Required fields are marked *