These days, it is common to hear about a new security breach or vulnerability in the news. In fact, recent reports1 suggest that 2019 has seen over a 50% increase in the number of breaches compared to the last four years. Ironically, these security breaches continue to rise even as companies invest record amounts of money and add more security tools to help prevent exactly that. An average large enterprise today has over 100 security tools2 while information security spending for 2019 is expected to exceed $125B.3
Clearly, the issue is not with lack of intent but with execution. Traditionally, security teams took a Castle and Moat approach when it came to protecting enterprise resources, one in which everything inside the Castle (network perimeter) was considered trustworthy and Moats (Firewalls, network access controls etc.) were put in place to restrict the less trustworthy resources that tried to access enterprise data from outside the perimeter. In today’s complex IT world in which users access all types of apps (SaaS, on-prem, native, virtual) from all types of devices (mobile, desktop, IoT) from many locations (within and outside the corporate network), organizations need a security model that is dynamic, flexible and simple.
While traditional and outdated approaches to security focus on bolting-on new security tools to secure the perimeter while trusting every resource inside, a new security model called Zero Trust security does away with the concept of implicit trust. With Zero Trust, all resources are considered external. The Zero Trust security model relies on continuous verification of trust across devices, users and apps before granting access to enterprise resources.
Staying true to the principles of Zero Trust, VMware published a Zero Trust Security Architecture at VMworld 2019 Europe that outlines how organizations can enable end-to-end Zero Trust access based on 5 tenets: device management and compliance, conditional access, app tunnel and proxy, risk analytics, and automated remediation & orchestration.
Path to Zero Trust
The Path to Zero Trust highlights the basic need for securing devices, identity, and connection. It further builds on it with capabilities such as risk analytics and automated remediation, which make the security model dynamic and help it adapt based on risk scores and respond effectively with automated remediation. The Path to Zero Trust encompasses all use-cases (Cloud, On-Premises and Hybrid Applications) but every organization will define its own journey and apply these main tenets in ways that are most suitable to them. Whether you are a modern company accessing all applications from the cloud or a large enterprise with an hybrid environment, VMware’s Workspace ONE is the only digital workspace platform that can bring all these critical technologies together to enable Zero Trust security:
• Device Management and Compliance: Workspace ONE Unified Endpoint Management (UEM) enables customers to manage all devices – mobile, desktop, rugged and IoT – across all platforms from a single console. Workspace ONE UEM checks for device compliance (OS updates, security patches etc.) before granting access.
• Conditional Access: Workspace ONE Access is the conditional access engine, supporting customers’ existing identity infrastructure, and leverages continuous verification of compliance provided by Workspace ONE UEM and Workspace ONE Intelligence analytics. Workspace ONE Access also can invoke step up multi-factor authentication as dictated by policy.
• App Tunnel and Proxy: Least privilege access to on-premises applications is enabled via cross-platform Workspace ONE Tunnel and Unified Access Gateway (UAG) and/or by enabling virtual application access with VMware Horizon. Virtualization inherently protects the application infrastructure and can be accessed via UAG edge services.
• Intelligence Risk Analytics: Launched at VMworld 2019 U.S., Workspace ONE Intelligence now offers user and device risk scores – quantifiable scores based on multiple risk attributes that can be used within conditional access policies and to initiate automated remediations.
• Automated Remediation & Orchestration: Workspace ONE Intelligence enables automated remediations and orchestrates workflows across critical ITSM investments for ticketing, notifications, and other actions.
VMware Workspace Security: Carbon Black and Workspace ONE
The Zero Trust story just doesn’t end there. Now with Carbon Black officially part of the VMware family, the Zero Trust story can be extended further by combining real-time endpoint threat detection with broad compliance from Workspace ONE Intelligence. Out-of-the-box Workspace ONE Trust Network integration between Carbon Black and Workspace ONE Intelligence means that customers are empowered to take advantage of this integration from Day 1. We also announced a new security offering for the Digital Workspace called VMware Workspace Security. Workspace Security brings together Carbon Black’s Next-Gen Antivirus (NGAV), Behavioral Endpoint Detection and Response (EDR), and Audit and Remote Response with VMware Workspace ONE Intelligence.
The Path to Zero trust is not arduous nor impossible but one that requires IT and Infosec teams to architect and build towards, in order to address all the different attack vectors in a digital workspace. Adding on more security tools for the purpose of solving a specific problem adds complexity that leaves organizations more vulnerable in the long run. With Workspace ONE, organizations get one simple platform with end-to-end security, built right into the platform. With advanced capabilities such as risk analytics and automated remediation as well as the ability to easily integrate partner solutions, Workspace ONE offers a solution that evolves with IT and Security strategies, giving organizations peace of mind today and in the future. Find out more about VMware’s security capabilities on our website. If you are attending VMworld 2019, Europe, don’t miss the following sessions to learn all about Zero Trust and other security capabilities that are intrinsic to Workspace ONE.