Guest post by Zeus Kerravala, Founder and Principal Analyst, ZK Research
Today’s enterprises are becoming increasingly dynamic and distributed putting an emphasis on cloud. The changing nature of business is having a transformative effect on the definition of cloud. What was once a centralized cloud model is giving way to a much more diverse, multi-cloud environment that continues to grow in complexity. Applications are no longer hosted exclusively in the data center, so, data and users could be anywhere in the world. Since most enterprise traffic goes to the internet instead of the data center, IT teams struggle with managing and securing distributed environments.
This was the key takeaway from a session titled Threat Protection, Control, Data Loss Prevention: VMware Cloud Web Security, hosted by VMware at its recent Explore 2022 conference. During the session, VMware demoed VMware Cloud Web Security™, a cloud-hosted secure access service edge (SASE) solution that uses a layered approach to safeguard enterprise users and infrastructure from known and unknown (zero-day) malware.
VMware Cloud Web Security protects users against internet-based threats by bringing them closer to web apps. The management for VMware SASE™ and Cloud Web Security happens in a single interface. The two components share context with each other, making security easier to consume and deploy, according to Aamer Akhter, director of SASE product management at VMware.
SASE is what encompasses all the security services and network capabilities that direct traffic from the users to the apps. A key component sitting inside Cloud Web Security is SASE points of presence (PoPs). That’s how the SASE “edge” is typically delivered, through PoPs or data centers close to the endpoints (data, users, devices). VMware SD-WAN™ customers currently send traffic to Cloud Web Security through a SASE PoP.
VMWare has gateways, which are on-ramps to the cloud. Any traffic a software-defined wide area network (SD-WAN) gets is secured and inspected when going out to the internet. Using multi-protocol label switching (MPLS) or a virtual private network (VPN) doesn’t provide high-speed optimized connections since network traffic performs better over the internet. An SD-WAN, on the other hand, allows the network to recover from packet loss by switching over to another link in hostile conditions.
“It’s about taking the best parts of SD-WAN, including network optimization, packet duplication, and low loss capabilities,” said Akhter. “We’re not always sending traffic to the enterprise data center. We’re finding the closest SASE PoP and the traffic gets processed there.”
Regardless of how users are connecting, the traffic automatically goes into the closest SASE PoP. Then from Cloud Web Security, the traffic is directed to software as a service (SaaS) apps like Office 365 or the internet. Cloud Web Security boosts enterprise security by flagging internet sites that organizations don’t want their employees to visit. It gives organizations control over websites that are known for distributing malware, and it protects content that gets moved from the internet, such as Word documents, PDF files, and zip files.
With VMware Cloud Web Security, organizations exert granular control over what can be done in certain apps like, for example, sharing but not downloading files in Dropbox. This capability within Cloud Web Security is called a cloud access security broker (CASB), which delivers control, visibility, and data loss prevention (DLP). VMware has a list of more than 1,000 CASB apps that are updated every two weeks.
CASB creates an audit trail for documents and files that are shared in the enterprise environment, whether users are working in the office, from home, or from remote locations. It also provides DLP for data in motion—data moving from within the enterprise to outside the enterprise. In addition to CASB and DLP, the other capabilities in Cloud Web Security include content filtering, URL filtering, SSL decryption, anti-malware, and sandboxing.
“When we start to allow certain file types, we want to make sure any virus or malware that may be embedded in a file can be inspected and blocked. This is where anti-malware and sandboxing come into play,” said Derek Tay, technical product manager at VMware.
VMware is introducing a new way of onboarding into the environment using a web proxy-based connectivity to VMware Cloud Web Security. VMware will soon be adding an internet protocol security (IPsec)-based capability, where organizations with third-party branches, routers, and SD-WAN environments can build an IPsec tunnel and bring their traffic into a SASE PoP with Cloud Web Security.
While there are many vendors today that can offer SD-WAN or cloud security, VMware is one of only a handful that can bring them together in a complete SASE solution. As complexity grows, this will be a competitive differentiator for VMware as SASE simplifies the process of customers having to tie network and security together.
About the author
Zeus Kerravala is the founder and principal analyst with ZK Research, and provides a mix of tactical advice to help his clients in the current business climate and long-term strategic advice. Kerravala provides research and advice to end-user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers.