Uncategorized

Developing Defense in Depth for a Software-Defined Data Center

By Jared SkinnerCloud Management Sales Director – West

The software-defined data center (SDDC) is on the tip of a lot of tongues these days, but the fact is, it’s not yet an end-point solution but rather a constantly evolving strategy. For that reason, I meet many customers who are excited about its potential but still wary of the unknowns—in particular around security.

As we abstract different layers of the technological stack, namely storage and network, we must continue to manage security across the stack through industry best practices and/or regulatory standards. Securing the SDDC begins by reinventing Defense in Depth.

What Is “Defense in Depth”?

I think of Defense in Depth like an onion, where the sweetest part is the center, protected under many layers of security.

  1. First there are firewalls, both physical and virtual.
  2. Under that are advanced intrusion detection systems.
  3. Then anti-virus and possibly white-listing.
  4. And finally the server itself, whether virtual or physical.

Defense in depth is the security of the inner sanctum that is the most critical and vulnerable component of the environment.

Software vendors have and will continue to publish detailed recommendations for securing their operating systems and applications. Regulatory entities, such as PCI, Sarbanes-Oxley, HIPPA, GLBA, and Nerc-Ferc, as well as industry experts continuously evaluate and publish new standards. These standards govern aspects of technology like patching, configuration settings, system logging, network controls, change detection, network ports, and routing. Some even reach into areas of physical security of the premises.

New Challenges with the SDDC

The software-defined data center is exactly that: software running on top of a Hypervisor providing abstracted access to resources. With this paradigm shift, new capabilities (CPU, network, storage) now have their own individual universe, each with it’s own highly complicated and unique security posture that needs to be addressed.

More than 90 percent of all security breaches stem from misconfiguration. Every layer of your environment must be secured—hence Defense in Depth. This becomes even more critical within the SDDC because possible security vectors are increased. Imagine side stepping the firewall, tripping past an IDS, blowing through antivirus to seize a lightly configured, barely patched operating system. The news would be all over the headlines!

There’s no applying this logic to the SDDC. All layers of abstraction do or will run on top of either a Hypervisor or Operating System, and the IT community will have to take extra care to make sure both are secure as possible.

No Such Thing as 100% Secure

Software bugs and security vulnerabilities are inevitable because we are imperfect humans writing software. Your objective should be to find the best way to stay ahead of the curve within the context of a software-defined data center. The only way to do that is to have detailed visibility into the configuration of each of the layers of abstraction.

Define your security standards and start leveraging a solution like vCenter Configuration Manager, which is able to collect configurations, detect configurations changes, and define new compliance standards across your operating system instances (both physical and virtual). As my colleague Richard Rees explained recently, trust in a system is not just about control, it also relies on visibility. With Configuration Manager, you’re aware of security issues as they arise, so you can quickly remediate or patch at the appropriate level.

Ahead of the Pack

The truth is, a lot of these issues still need to be worked out across the industry, but I know that VMware is the best equipped to develop new security standards for the software-defined data center. Since VMware defined the practice of abstracting physical resources into the virtual realm starting with compute, it has a jump start on doing the same for the rest of the data center.

For starters, VMware recently launched NSX, a networking stack, as well as a vSAN for storage, working toward the capability to join them together for a plug-and-play SDDC experience. And because VMware is purpose-building software-defined networking and storage, as these components mature, we will continue to address security, configuration management, visibility, and compliance for the new SDDC frontier.


Jared Skinner is a seasoned Cloud Management professional who joined VMware 4 years ago. He has an extensive background in IT management software, security and compliance. Jared has spoke on many compliance panels including PCI, SOX, and Nerc-Ferc. Jared was also one of the contributors to the first revisions of the Center for Internet Security standards for Virtualization.