Tag Archives: nsx

5 Steps to Build a Security Strategy for the Digital Enterprise

From team bonding to micro-segmentation: a 5-step journey to develop a proactive security mindset in your cloud organization.

Pierre Moncassin-cropBy Pierre Moncassin

Only a few years ago security was at best an afterthought for some cloud teams., Everyone in the team thought that security was someone else’ s problem. For some less-fortunate organizations, this mindset did not change until a major security breach occurred with resulting financial losses, reputational damage not to mention job cuts. By that point security did becomes everyone’s problem – but that realization happened far too late.

To avoid this sort of less-than-optimal scenario, let me share here what I see as some key steps to develop security mindset right at the core of your cloud organization

First, why is security in the cloud specifically challenging?

IT security risks have of course existed well before the cloud era. However cloud technologies have brought along a new dimension to the risk. Reasons include:

  • Due to unprecedented ease and speed to provision infrastructure, a new population of business users have become able to provision their own cloud infrastructure. They may not all be fully aware of the corporate IT security guidelines (or may not feel bound to follow them strictly).
  • Fast provisioning in the cloud has often led to a proliferation of “temporary” workloads – many of which are not rigorously controlled.
  • Data in the cloud can be stored anywhere. Users are usually not aware of where their data is located physically, or have no control over that location. Therefore protecting confidential data becomes an additional challenge. Some country legislation, for example, mandate that confidential data from their nationals must remain within designated geographies.

Step 1: Build a broad awareness and knowledge base.

All cloud team members need to understand the basics of security for their cloud platform. That includes not only the enterprise security policy, but also a broad awareness of relevant laws (e.g. data protection) and compliance requirements (e.g. PCI, Sarbanes Oxley).  It also helps to build some basic awareness of common security breaches. In order to incentivise this learning, consider including security training in personal objectives (also known as ’MBO’); include security awareness in new hire onboarding and individual training plans.

Step 2: Break down technical silos

As I explained in on my recent blogs, technical silos occur quite naturally as specialists organize themselves along groups of expertise (networks and servers, operating systems and hardware). However entrenched silos can easily cause gaps in security coverage. This is because hackers are experts at finding fault lines between silos – those tiny gaps or fault lines from which they can launch an intrusion.  They will look for the ‘weakest link’ wherever it might be found (e.g. access password too simple, un-patched operating system patch, lax email security, defective firewall  – the list of risks is long).

Instead of relying on a silo mentality, the team needs to consider security end-to-end, and assume that breaches can occur in any layer of the infrastructure. In the same way as cloud services need to be designed end-to-end across silos, teams need to work together to manage security risks.

Step 3: Involve the business stakeholders

Part of setting up a cloud organization with VMware’s model, involves building close working relationships with business stakeholders. Specific roles within VMware’s cloud organization model will be in place to liaise with the business (eg Service Owner, Customer Relationship Manager).  And security is a key part of this cooperation. Some key aspects are:

  • Establish clearly responsibilities (e.g., who patches the workloads? who checks compliance?)
  • Document the responsibilities and expectations e.g. within the service level agreements;
  • Ensure regular communications about security between business users and cloud team (e.g. are there security-critical applications? Confidential data? What level of confidentiality?)

Step 4: Automate day-to-day security & compliance checks.

As part of operating a VMware cloud, the team will most likely be using tools such as VMware’s vRealize Automation and vRealize Operations Manager. These tools can be configured and leveraged to enhance some of your security and compliance procedures – adding much-needed automation to routine, day-to-day activities that otherwise consume effort and attention. Here are some examples of steps your teams can take to leverage these tools for security & compliance.

  • Ensure that provisioning blueprints are up-to-date with the latest security policy (e.g. patch levels).
  • Configure vRealize Operations Manager’ dashboards to display an aggregate view of compliance risk across your virtual infrastructure. For example, vRealize Operations Manager can be configured with extensions and third party integrations that allow to extend its analytical capabilities across a broad variety of sources including VMware Cloud Air, VMware NSX, Amazon AWS, NetApp Storage (for further details check out: http://www.vmware.com/files/pdf/vrealize/vmware-vrealize-operations-management-packs-wp-en.pdf).
  • Leverage vRealize Operations Manager’ ability to automate and report on compliance checks (the technical capabilities are described in more detail in this VMware blog: https://blogs.vmware.com/management/2015/03/compliance-in-vrealize-operations-6.html).
  • Leverage the potential of automated integration with your support desk. Once detected, compliance or risk issues must be acted upon. These events can be automatically associated to the creation of an incident ticket. I have outline the potential of such integrations in an earlier blog  https://blogs.vmware.com/cloudops/2015/09/cloud-itsm-integration.html
  • From an organizational point of view, what we want is to automate as far as possible the bulk of routine compliance checks and security monitoring, so that the teams can focus on the ‘big picture’ work pro-actively to identify emerging security threats

Step 5: Shift paradigm on network security with micro segmentation.

Whilst the expression “paradigm shift” has been much over-used, it still fits perfectly to describe the evolution from traditional network security to micro-segmentation.

The traditional approach to securing a private cloud’s network is to setup strong security (firewalls) at the perimeter. This is the fortress model of security – highly protected boundaries (perimeter) and a gate to control traffic at the entrance.

The downside is that all “fortresses” share a weakness by construct. To understand why, let’s consider the typical stages of a data breach:

  • Intrusion: attacker finds a breach in the perimeter
  • Lateral Movement: the intrusion is expanded for example, by compromising neighboring workloads or applications.
  • Extraction: potentially sensitive data from the compromised systems.
  • Cleanup/deletion: the intruder attempts to remove traces of the intrusion (deleting log files etc.).

Security Data BreachIn the event where an intruder manages to pass through the security gate, moving from room to room within the fortress becomes relatively easy. In IT terms, once a network’s perimeter is breached and a first workload is compromised, the intruder can often move “laterally” to compromise other workloads with little or challenge, then locate potentially sensitive data to retrieve (‘Exfiltrate’).  There may be other lines of defense within the fortress (traditional network) – but these tend to be static, and once broken the same problem of “lateral mobility” occurs again.

Micro-segmentation allows fine-grained network security that can prevent not only the initial intrusion, but challenge attempts the other stages i.e. Lateral Movement Exfiltration, Cleanup.  The reason is that each ‘room’ (or workload) can be isolated from the other. We could compare this new model to the layout of submarine where each section of the ship is partitioned by watertight doors. Each compartment  (micro-segment) can contain an intrusion. The would-be intruder is just as challenged to move from one compartment to the other, as getting past the entrance door in the first place.

However micro-segmentation means more than fine-grained network isolation. It offers the possibility to tailor security policies down to the workload level, therefore increasing to a new level the control over cloud security.

For example, network security rules can be associated to logical objects like a workload. When the workload is moved from a network location to another, the security rules are maintained – they ‘follow’ the workload rather than being attached to a fixed network address.

Security Rules

Leveraging that potential requires a new mindset – shifting from a static security model to dynamic, fine-grained security. It also requires the cloud team to develop new skills. For example to replace routine configuration skills with automation, traditional network skills need to be complemented with design and programming skills.

Key take aways:

  • Think of security as by essence, teamwork. Encourage your team to coordinate security across silos – users, cloud engineers, security teams.
  • Leverage your automation tools such as VMware vRealize Automation and vRealize Operations Manager – they will help automate some of your security and compliance procedures.
  • Transform your team’s perspective on network security by leveraging micro-segmentation, moving from the traditional ‘fortress’ security model to a dynamic, fine-grained approach.

—-
Pierre Moncassin is an operations architect with the VMware Operations Transformation global practice and is based in the UK.

VMworld US – Day 2

Monday, August 31

From an Operations Transformation Services perspective, the first full day of VMworld was a cracker! (I’m British – that means very good!)


dc2105-150x150By Andy Troup

Our presenters had a number of insights to share (remember, with your VMworld conference pass you have access to recordings of any sessions you might have missed within 24 hours, found either on the VMworld mobile app or on vmworld.com). Dave Crane, one of our Operations Transformation Services solution architects, offered this advice in the Advanced Automation Use session this morning:

If you only take away one key point from this session, it should be about the importance of a reference framework“.

The reference framework is oriented around a specific capability (in the example presented in this session, the automated provisioning process). The reference framework document describes all of the steps in the capability, ensures business and IT alignment, and provides the baseline for your governance activities (leave a comment on this post if you have a specific question for Dave regarding this topic).

One of our customer presenters took us through their multi-year transformation journey story (people and process alignment featuring prominently, again!), and the critical role that the vRealize Operations tool plays in terms of visibility and management along that journey.

Tomorrow will be another really interesting day, with a variety of transformation topics. Of particular note, I’d like to call attention to the Organizational Change Group Discussion at 12:30 PM (OPT 4743) where a number of our solution architects with extensive on-site customer experience will share real-world organizational change insights, best practices and pitfalls in an interactive format.

Here’s the schedule for Tuesday, September 1:

  • 11:30 AM – OPT 4953:
    Operationalizing VMware NSX: Practical Strategies and Lessons from Real-World Implementations
  • 12:30 PM – OPT 4743:
    Organizational Change Group Discussion
  • 1:00 PM – OPT 4868:
    DevOps Transformation: Culture, Technology or Both?
  • 2:30 PM – OPT 4992:
    vRealize CodeStream: Is DevOps about Tools or Transformation?
  • 4:00 PM – OPT 5222:
    Keys to Successfully Marketing and Managing your vRealize Automation Service Catalog
  • 5:30 PM – OPT 5075:
    Six Steps to Establish Your IT Business Management Office (ITBMO) with vRealize Business

Visit the VMworld mobile app to locate these sessions, and be sure to follow us on Twitter to find more information and resources: @VMwareCloudOps.

See you at Moscone.


Andy Troup is a Cloud Operations Architect with over 25 years of IT experience. He specializes in Cloud Operations and Technology Consulting Service Development. Andy is also a vCAP DCA and VCP. Andy possesses a proven background in design, deployment and management of enterprise IT projects. Previously, Andy co-delivered the world’s first and subsequent vCloud Operational Assessments (Colt Telecomm & Norwegian Government Agency) to enable the early adoption of VMware’s vCloud implementation.


 

Build Your Operations Transformation Agenda for VMworld 2015

By: Andy Troup

VMworld 2015

VMworld 2015 is nearly upon us and I’d like to give you an overview of the Operations Transformation (OPT) Track that will be running again this year to help you get the most out of what’s on offer.

As a reminder, the track is focused on helping you understand how the VMware Software-Defined Data Center is redefining IT infrastructure, and how it enables IT organizations to combine technology and a new way of operating to become more service-oriented and focused on business value. This track offers unique opportunities to learn the latest best practices and key considerations from experienced VMware experts, practitioners, and the real-world experiences of customers transforming their IT infrastructures and operational processes.

This year in San Francisco, the OPT track is offering 3 different types of sessions. There are 23 breakout sessions and one Group Discussion session all of which last for an hour. In addition to these, and new for this year, there are also 4 Quick Talk sessions which last for 30 minutes and are available on Sunday 30th August.

The focus for this years OPT track is around a number of different areas which I’ll give you a quick insight into.

Operations Transformation

The track as a whole is all about how to transform the way that you operate so that you can really start to get the benefits of your technology investment and become a service provider to your customers. There are a number of session that cover how transformation is achieved. There will be customers who will give you a view of the transformation they have undertaken and how they approached it, including a session covering VMware’s own transformation and the “OneCloud” implementation. Some of VMware’s transformation specialists who have helped many customers undertake a transformation will also be providing you with details of best practices and pitfalls to watch out for. Check out the following sessions:

  • OPT4682-QT – A Roadmap for Transformation – Planning Your Future State and Ensuring Governance
  • OPT4684 – Engineers in The Cloud – The New Model of Datacenter Operation
  • OPT5010-QT – The Lifecycle of Cloud Services
  • OPT5069 – Enterprise Hybrid Cloud—Federal Case Study
  • OPT5238 – VMWare IT DevOps Transformation: A VMware on VMware Showcase
  • OPT5361 – Best Practice Approaches to Transformation with the Software-Defined Data Center
  • OPT5509 – Building an Enterprise Hybrid Cloud Strategy and Operating Mode
  • OPT5709 – Customer Experience—Building a Software Defined Data Center with CIT
  • OPT5814-QT – AGILE for Infrastructure: Utilizing Agile Methods to Drive Iterative Infrastructure Development and IT Service Delivery
  • OPT5972 – 80,000 VM’s and Growing! VMware’s Internal Cloud Journey Told by the People on the Frontline

DevOps

DevOps is a big theme this year, and the OPT track will cover how the technology is enabling operational change to make DevOps become a reality. If you’re new to DevOps, then one of our specialists has a session covering the DevOps concept. There are some customers as well as VMware IT talking about how they were able to embrace DevOps. Also, how VMware’s technology is helping DevOps transformations will be covered in a number of sessions by some of our specialists. Check out the following sessions:

  • OPT4868 – Your DevOps Transformation:  Culture, Technology or Both?
  • OPT4992 – VMware vRealize Code Stream:  Is DevOps about Tools or Transformation?
  • OPT5235 – Cloud-Native Apps, Microservices and Twelve-Factor Apps: What Do They Mean for Your SDDC/Cloud Operations?
  • OPT5238 – VMWare IT DevOps Transformation: A VMware on VMware Showcase
  • OPT5960 – VMware NSX with a DevOps Mentality:  Streamline Your Operations for Zero Downtime Networking
  • OPT6227 – Developing a new IT:  How the Boeing Company IT Department is empowering its Customers through internal cloud and services

vRealize Suite

The vRealize suite of products features in the OPT track this year, covering vRealize Automation, vRealize Buisness, vRealize Operations and vRealize CodeStream and how they have been instrumental in enabling operational transformation. How vRealize Business can be used to help you become service focused and really manage IT as a business will be covered as well as how to build effective cost models.

Other sessions will show how the implementation of vRealize Operations has enabled customers to undertake their transformation and manage the services that they are offering. How close integration between vRealize Operations and vRealize Automation has meant a clearer understanding of the service provision process and the operational benefits will be covered in another session.

Continuing the automation theme, there is a panel session with a number of customers from healthcare who will discuss automation in what is a very regulated environment. Check out the following sessions:

  • OPT4680 – Advanced  Automated  Approvals Use Case—Using vRealize Operations and vRealize Automation to Seize Back the Approval Charter
  • OPT4707 – Integrating vRealize Automation with Service Catalogs:  Does Your Implementation Strategy Align with Your Integration Needs?
  • OPT4992 – VMware vRealize Code Stream:  Is DevOps about Tools or Transformation?
  • OPT5029 – How to Use Service Definitions in VMware vRealize Business to Build Highly Effective, Service-Based Cost Models
  • OPT5075 – 6 Steps to Establish Your IT Business Management Office (ITBMO) with VMware vRealize Business
  • OPT5222 – Keys to Successfully Marketing and Managing Your vRealize Automation Service Catalog
  • OPT5369 – Pro-Active Monitoring of a Service: People, Process and Technology
  • OPT5279 – Chargeback in the Department of Defense
  • OPT5387-QT – Talking Security’s Language Using NSX, LogInsight and vRealize Tools
  • OPT5519 – Nimble Automation in a Regulated Environment:  Good, Fast and Cheap.  Pick Any Two.
  • OPT6226 – Kaiser:  Metrics-driven Transformation: Using vROps as the Foundation for Operations Transformation

NSX

NSX is become front of mind for many people, and there is realization that this technology product is having a big impact on the way that IT groups operate. The OPT track is offering some sessions that will provide real world experiences of how this takes shape.

  • OPT4953 – Operationalizing VMware NSX:  Practical Strategies and Lessons from Real-World Implementations
  • OPT5387-QT – Talking Security’s Language Using NSX, LogInsight and vRealize Tools
  • OPT5960 – VMware NSX with a DevOps Mentality:  Streamline Your Operations for Zero Downtime Networking

SDDC

The impact that the implementation of the Software Defined Datacenter has on organizational structure is a common discussion point, and this year the OPT track offers both a session covering organizational change management and a group discussion with leading organizational change specialists who have a vast amount of experience with many customers.

  • OPT4743-GD – Organizational Change Group Discussion
  • OPT5793 – Organizational Change Management and SDDC:  Why Getting Your Organization and People Aligned Are the Key Ingredient in Ensuring Maximum Value

As you can see there’s a large selection of sessions covering a number of different topics. If you’re lucky enough to be attending in San Francisco and you’d like to build your event around the operations transformation track, download this handy PDF.

===========

Andy Troup is a senior solution architect with the Operations Transformation Services practice based in the UK.