Ana Seijas here — one of the newest members of the VMware Security & Compliance team. So I've been doing security for a long time…started as an external systems auditor and then onto internal audit, consulting, training, CISO, but the one thing I've enjoyed the most was being a Systems Engineer. So I've been an SE as they are most commonly known for a number of years and for several very large companies. As SE's we play consultant, sales person, techy or plain listener for our customers…and with all of these hats the one thing in common is that we do a lot of presenting! As soon as there's even just one person in the room, we're ready to present….be it a Powerpoint, whiteboard, or napkin! So over the years I've taken many presentation classes….and although I've learned many cool techniques, the one thing that stands out and I try to do most of all is create analogies of technical stuff to real-world stuff. Its how I can make people remember what this stuff really does!
So when I joined VMware a few months ago and was introduced to our vShield products, I knew that I would be presenting them soon enough. So as I learned the features, functions, and use cases…I started to think of the analogies…so here goes…
Customers secure their data and assets from all those bad guys out on the internet with firewalls, IPS, switches, routers, load balancers and whatever new technology they can find. For the most part they've learned to build a very "hard shell" around the outside of their company. In most cases its very hard to get inside a customer's network from the internet (although these days its seems like everybody is being hacked!)…for the most part that "hard shell" exists…but once I'm on the inside as an employee with access, its a "soft and chewy inside" and that's where the problems exist. Its way too expensive ($$$, people, process and complexity) for a customer to completely isolate every application, group, line of business, or piece of data they have and so for the most part…access on the internal network allows me to probably see or poke around more than I need to. Curiosity kills the cat or more likely leads to data leakage or stolen information.
VMware's vShield products can help customers maintain that "hard shell" around their virtual datacenters, but also provide "crunch for the soft and chewy inside"…its like sticking a pretzel in it!
Let me explain further! vShield Edge is a stateful inspection firewall that can provide perimeter security for the virtual datacenter. It provides the same guiding principles of firewalls but also includes site to site VPN and load balancing capabilities for securing your different tenants, companies, countries, lines of business, stores, offices, etc that exist in your virtual infrastructure. Adding vShield App allows the customer to now define security groups inside of the virtual datacenter for different trust zones (i.e. PCI, DMZ, HIPAA, etc), applications (web servers, SAP, oracle, etc.) or groups (finance, HR, development, etc.) and define security rules based on their actual business needs as opposed to how the infrastructure or network was created and thus providing that crunch on the inside.
With vShield App, organizations can become more secure by limiting the ability for the curious employee with "the roaming eyes" to access or see information that they don't need. It’s the ability to apply the principle of least privilege in a logical manner at the network layer.
So what is the principle of least privilege: As per PCMag's Encyclopedia – A basic principle in information security that holds that entities (people, processes, devices) should be assigned the fewest privileges consistent with their assigned duties and functions. For example, the restrictive "need-to-know" approach defines zero access by default and then opens security as required. All data in a corporate network would be off-limits except to specific people or groups based on Role Based Access Controls.
Now the principle of least privilege implies getting down to as granular access as possible so the vShield products only provide another layer of granular access control at the network and inter-vm traffic. You still need to provide granularity using Role Based Access controls in vCenter, your network devices, at the guest OS and applications to name a few.
So if you're Security team is coming down on you to protect more and more of your data for PCI, HIPAA, or whatever the reason, show them how smart you are on security and tell them you're going to virtualize more so you can provide more access controls and enhance the principle of least privilege by using vShield!