Last week, we spoke at the RSA Conference about a new concept in security – the Goldilocks zone.  With the help of Art Coviello, Executive Chairman of RSA, Chris Young, senior vice president and GM of Cisco’s Security business unit, and Lee Klarich, senior vice president of product management from Palo Alto Networks, we departed from the typical discussions about new controls or the latest threats.  We took the opportunity to lay out what we believe is a fundamental architectural issue holding back substantial progress in cyber security, and how virtualization may just provide the answer. The growing use of virtualization and the move towards software-defined data centers enable huge benefits in speed, scalability and agility; those benefits are undeniable. It may turn out, however, that one of virtualization’s biggest benefits is security.

The term “Goldilocks Zone” was first coined by NASA researchers in the 1970’s to describe the characteristics that must be simultaneously present for a planet to support life.  We co-opted the term to describe the properties for security controls that must be simultaneously present to support a secure information infrastructure – conditions that to date seemed to be mutually exclusive.

To our thinking, the Goldilocks Zone must simultaneously provide context and isolation for security controls. We can place controls in the endpoint, or in the network, and trade off between these properties, but without both simultaneously, we simply don’t have the right conditions to create a fundamentally secure data center infrastructure. Furthermore, we lack any sort of consistent approach across – and even within – the different infrastructure siloes. We lack ubiquity of control.

We assert that virtualization provides these conditions and is therefore a Goldilocks zone for security.

  1. By placing security controls in the hypervisor, we can get tremendous context (about applications, identity and data), and an adequate isolation, enabling controls to be far more relevant and effective.
  2. This same layer also enables ubiquity. Virtualization is the fundamental building block of the software-defined data center (SDDC). It is at the nexus of compute, storage and the network.
  3. VMware aims to play a pivotal role in the transformation of security. Not by becoming a security vendor, but by enabling security vendors to leverage the virtualization layer to fundamentally transform their solutions by enabling them to leverage the properties of ubiquity, isolation and context. To demonstrate this point, we discussed examples of new solutions from Palo Alto Networks, McAfee, Rapid7, Symantec and Trend Micro.

Context vs. Isolation

There is a classic debate in security – host-based vs. network-based. Host-based proponents argue that integration into the OS and application enables a higher degree of context – which is true. It also puts security controls smack-dab into the attack zone. What is the first thing malware does when it lands? It disables anti-virus. Network-based controls avoid this problem by being outside the attack zone. But for the most part, they have no idea what is happening with the application/process/file/user. So you have to make a choice. Do you want meaningful controls (context) or do you want effective controls (isolation)? Clearly we need both, and the virtualization layer – i.e., the hypervisor – is in a unique position to provide visibility into the guest from a trusted position isolated from the guest’s domain. In other words, it provides both context and isolation.

The Horizontal Security Layer

The search for a ubiquitous horizontal security layer has been fruitless until now. In a software-defined data center, virtualization is at the nexus of compute, storage and the network. But it’s not just about vantage point, but also manageability. If it’s not manageable, it will be ripped out. An SDDC enables a single source of state across the data center and enables highly automated management and provisioning. Effectively, security takes on many of the attributes of the SDDC – scalability, agility and manageability.

Inserting Services into the Software-Defined Data Center

With the virtualization layer within the SDDC, organizations can insert security services that inherit the attributes of the Goldilocks zone. We discussed a number of examples of what partners are able to achieve when they have access to host-based context, are effectively isolated from the attack domain, and can be delivered as a distributed service, with the ability to provision, insert and manage security services quickly and easily.

Collectively, we have a remarkable opportunity to reinvent how security controls are architect and implemented, but we must act.

  • For our part, we plan on investing heavily in this horizontal security layer.
  • The vendor community must take advantage of the virtualization layer to innovate. Ask the question: How can we fundamentally improve our offerings, customer experiences or effectiveness of our solutions by having full context, safe isolation and ubiquitous presence in the data center?
  • Practitioners must get involved early in the discussions around the software-defined data center in their respective organizations. The opportunity here is to add tremendous business value. Rather than simply focusing on securing this layer or that layer, start the dialogue by asking, “How can we leverage the virtualization layer to secure our most critical assets?”

Art Coviello put it best when he said, “We finally have the opportunity make security part of the very fabric of our infrastructure – built-in rather than bolted out. We cannot miss this opportunity.”

We could not agree more. This is the beginning of an exciting transformation. Thanks to all that attended, and thanks to our special guests.  We look forward to continuing this discussion, and an exciting year ahead.

Martin Casado, CTO of Networking, VMware
Tom Corn, VP of Security Strategy, VMware

Read what VMware Partners Are Saying:

Real-time Protection from Nexpose & VMware NSX – Rapid7