Last week at VMworld, Pat Gelsinger made a statement that got folks buzzing. During his
keynote, he said that integrating security into the virtualization layer would result in organizations being twice as secure at half the cost. As a long-time security guy, statements like that can seem a little bold, but VMware has data, and some proven capability here in customer environments.

We contend that the virtualization layer is increasingly ubiquitous. It touches compute, network, and storage – connects apps to infrastructure – and spans data center to device. More importantly, virtualization enables alignment between the things we care about (people, apps, data) and the controls that can protect them (not just the underlying infrastructure).

Let me speak to the statement from the data center network side with some real data. VMware has a number of VMware NSX customers in production that have deployed micro-segmentation in their data centers.  Here’s what we found:

  1. 75% of data center network traffic is East-West, moving VM to VM regardless of how convoluted the path may be.
  2. Nearly all security controls look exclusively at North-South traffic, which is the traffic moving into and out of the data center; 90% of East-West traffic never sees a security control.
  3. Micro-segmentation with NSX enables full inspection of East-West traffic by logical network isolation, stateful firewalling, and with partners, even more sophisticated security controls can be implemented (next-generation firewalls, intrusion prevention systems, etc).

By my math using the above data, we’ve enabled organizations to move from security controls that only cover one third of their data center traffic to a much higher percentage – in some customer environments, they’ve deployed security controls to 100% of the traffic (full micro-segmentation, 100% of East-West traffic).  That’s actually better than twice as secure.

Now, the “half the cost” aspect of the statement we’ve proven many times over. We’ve seen enough customer business cases that demonstrate doing micro-segmentation with hardware firewalls is three times the cost of doing it with VMware NSX. Never mind the fact that it is operationally infeasible to do this. You can read about that here in our whitepaper.

So, in a sense, Pat was being conservative in my view. It’s actually more like three times as secure at one-third the cost.  Either way, it’s a huge improvement.

Here are just a few stories of real world customers that are starting to reap the benefits of using virtualization and micro-segmentation to improve the effectiveness and economics of security.

Chris King