Let’s say you’re shopping for a hazmat suit. Would you buy the patchwork model—the one whose various parts are made by multiple manufactures, then sewn by hand with several different kinds of thread? Yeah, I wouldn’t either. Yet the security posture of many organizations is the equivalent of a patchwork hazmat suit. Perhaps you have done your best to enforce and establish a single platform and a seamless, unified approach. But your business keeps leapfrogging past its own perimeters as you have extend operations into mobile, cloud, etc. So you end up bolting on new solutions, like patches on a hazmat suit. The problem is, bad actors are like super-viruses, constantly evolving ways to slip through the tiniest gaps.
What if, instead, you could secure your enterprise with a solution that worked more like a vaccine—one that builds resistance into the very fabric of your IT operations? Vaccines harness your own immune system to keep you safe from threats. The defenses they activate are actually intrinsic to you. And that means they accompany you wherever life may take you—no matter what. To apply that concept to the digital enterprise, the solution would have to extend security to:
- Any user
- Any endpoint
- Any network
- Any application
- Any data center
- Any cloud service
- Any data storage
Don’t Trust/Always Validate/Enforce Least Privilege
Last time, we examined how security should scalable, modernized and automated given today’s sprawling and complex operations. A security platform must: 1) scale across all kinds of components, from network connections to hand-held devices; 2) have a modern design in which security is inherent and built into the fabric of IT architecture itself; and 3) automate security across thousands, even millions of components.
Now let’s look at how you can enforce security everywhere your digital operations extend. Essentially it comes down to three principles:
- Don’t trust users, devices & endpoints.
- Always validate network communication
- Enforce least privilege to apps, data centers and cloud services
The proliferation of mobile users, apps and devices is leading to complexity — and inconsistencies — in enforcing security. At the same time, this approach hands bad actors lots of potential opportunities to go around traditional security policies.
This new reality demands a “don’t’ trust” approach to users and endpoints. Essentially, this means never providing access to a device without securely validating identity first — and of course, a unified, platform approach that can scale at the rate that the digital economy demands.
In the age of mega-breaches, the vulnerability of networks, and the weakness of perimeter defenses, are painfully clear. Bad actors ride on the backs of legitimate users to arrive insider the perimeter — and thus gain access to every part of the data center’s infrastructure. To combat these threats and secure networks, you need an “always validate” approach that embeds security within every individual workload.
Enforce Least Privilege
For any user or device that has (or illicitly gains) access to your data center and cloud infrastructure, you need to minimize your potential cyber attack footprint. In other words, you need to enforce least privilege. The concept is simple: you restrict access rights — whether for users, accounts or compute processes —to those data center and cloud resources required for permissible activities.
However, “least privilege can be extremely difficult to put into practice across today’s (and tomorrow’s) complex and heterogeneous app, data center and cloud operations.
So why might VMware be your most important cybersecurity company?
VMware is in a unique position to meet all three of these principles, because our virtualization footprint extends through every IT layer.
- Don’t trust: With VMware Workspace ONE, you can set and enforce access and data policies across all apps, devices, and locations in one place. The solution combines identity and device management to enforce access decisions based on a range of conditions, including strength of authentication, network, location, and device compliance. VMware NSX, vSphere and vSAN offer various levels of encryption over the network, in the hypervisor, down to your virtualized storage repository. In conjunction with Workspace ONE which includes AirWatch technology and Horizon you’re getting encryption from the endpoint to the VDI over the network and into the data center.
- Always validate: Rather than a traditional perimeter approach, VMware NSX changes the equation by making security intrinsic to your network operations, thanks to VMware’s unique ability to embed security functions right into the hypervisor. Security policies are not a gate that workloads have to pass through. The policies actually travel with workloads, regardless of where they are in the larger network topology…and vRealize Network Insights (vRNI) can ensure that traffic is compliant.
- Enforce least privilege: Again thanks to its privileged position in the hypervisor, VMware is able to dramatically simplify enforcement of least privilege. VMware AppDefense and the VMware vSphere hypervisor can capture both the intended state and the run-time state of any deployed application. By collecting all this information in the manifest file and storing it in a protected space in the vSphere hypervisor, it simplifies the monitoring rogue activity, prevent tampering, and automate alerts for unexpected or unintended changes. And all this works on-premise or in the VMware Cloud.
Learn more how VMware transforms security by making security intrinsic, from the endpoint, IoT, any application, over the network, and into to the data center and cloud.
Follow us on Twitter at @VMwareSecurity
Christopher Campbell – Director, Solutions Product Marketing
Networking & Security