A zero trust or least-privileged, security model has long been held as the best way to secure applications and data. At its core, a zero trust security model is based on having a allowlist of known good behaviors for an environment and enforcing this allowlist. This model is preferable to one that depends on identifying attacks in progress because attack methods are always changing, giving attackers the upper hand and leaving defenders a step behind.

The problem for IT and InfoSec teams has always been effectively operationalizing a zero trust model. As applications become increasingly distributed across hybrid environments and new application frameworks allow for constant change, a lack of comprehensive application visibility and consistent security control points is exacerbated for IT and InfoSec, making achieving a zero trust model even harder.

A modern application is not a piece of software running on a single machine — it’s a distributed system. Different pieces of software running on different workloads, networked together. And we have thousands of them, all commingled on a common infrastructure or, more lately, spanning multiple data centers and clouds. Our internal networks have evolved to be relatively flat — a decision designed to facilitate organic growth. But this architecture has also unintentionally led to enormous security challenges. In a flat network, if one workload is compromised there are virtually no controls in place to prevent an attacker from moving laterally through the network to compromise every other workload.

Five years ago, we introduced the idea of micro-segmentation. By enabling organizations to define security policies for the individual workload-level, we could now compartmentalize sensitive workloads and services. In a micro-segmented environment, an attacker couldn’t simply move east west and take over the critical application or sensitive data. Micro-segmentation fundamentally changed the industry and has become a fairly standard practice across organizations today, with VMware as the unquestionable leader in the market. But being the leader isn’t simply about being first. It’s also about innovation, and we have not been standing still.

Introducing Adaptive Micro-segmentation. The next evolution of micro-segmentation brings the following with it:

  • Much more application intelligence – By better understanding application composition and the intended state and behavior of the workloads that make up the application, we are turning visibility into security policy definition, thereby taking the guesswork out of policy creation.
  • Workload control (in addition to network control) — By directly locking down the workloads that comprise applications, Adaptive Micro-segmentation now protects against direct attacks on the application, itself. Additionally, it protects the services that traverse traditional segment boundaries (i.e. domain controllers, agents, jump servers, etc.) so that attackers cannot use legitimate communication paths to compromise applications.
  • Adaptation to change – One of the core problems with operationalizing a zero trust model is building controls that are flexible enough to accommodate the rapid rate of change of modern applications. As the name suggests, Adaptive Micro-segmentation allows for the automated redrawing of workload and network security policy when any component of the application is changed.

Adaptive Micro-segmentation brings together our innovations around network, with VMware NSX and vRealize Network Insight, and compute, with VMware AppDefense, to deliver a solution that can…

  • Learn the purpose, composition and intended behavior of all components that make up an application or regulatory scope — both at a network and compute level.
  • Lock down both the workload and network elements of the application.
  • And adapt to application changes.

VMware is uniquely positioned to deliver Adaptive Micro-segmentation due to our ability to leverage the existing infrastructure, itself, which offers the following benefits:

  • Built-in versus bolted-on (intrinsic security) — The network and workload controls that Adaptive Micro-segmentation relies on are built directly into the infrastructure. This means no more bolted-on boxes or agents.
  • Unique application context – The visibility and contextual understanding of applications that Adaptive Micro-segmentation uses is also directly derived from its position within the infrastructure that applications and data live on top of.

Want to see Adaptive Micro-segmentation in action? We will be showing off how Adaptive Micro-segmentation stops a live attack at VMworld 2018 in Las Vegas. Make sure you check out our Security Showcase session, Transforming Security in a Cloud and Mobile World (Tuesday, Aug 28, 1:00 PM – 2:00 PM, SEC3730KU). Also, check out Introduction to VMware AppDefense (Monday, Aug 27, 5:30 PM – 6:30 PM, SAI3217BU) and Introduction to NSX Data Center for Security (Tuesday, Aug 28, 2:30 PM – 3:30 PM, SAI2026BU) for a crash course in the technology behind Adaptive Micro-segmentation.

To read about how customers are doing Adaptive Micro-segmentation today, check out this case study, and for more general information on the topic, head to www.vmware.com/nsx.