You may have noticed that VMware has been releasing cloud security solutions at a faster and faster pace in recent years. We have also been developing a new IT security ecosystem at the same time, and security vendors are reacting positively by migrating and integrating their solutions to our cloud platform. This trend has become a market necessity, as the nature of cyber security changes in the cloud era. These days, no one can fix all issues customers are facing. Every player in cyber security must stake out a new position, and this must include cooperating with other security providers.
There are so many players in cyber security space. That gives customers plenty of choices, but also creates confusion when they are deciding which solutions to implement. At the same time, many cyber security solutions have never been integrated enough to work together seamlessly—a problem exacerbated when layering in the complexities of cloud computing.
There are essentially four key domains in IT security industry: security consulting services, defense technology, platform security architecture, and security management. Security vendors deal with the first two domains. Traditionally, operating system and networking vendors have taken the lead in the last two domains. However, cloud computing is changing the entire landscape. In fact the cloud has become the new platform in which to embed security solutions, as opposed to OS and networking.
Because cloud platforms are by their nature service-oriented, security becomes a key property of cloud service in this approach. However, security must be integrated deeply within cloud management platform. It is no longer sufficient to bolt on security or provide fixes at the time cloud services are delivered. Indeed, security must be built into the cloud platform’s design from the ground up.. This requires a clear strategy for security across the whole life of the cloud platform’s architecture and operations. Imagine trying to answer these questions, if this were not the case:
- Can you imagine trying to manage a security solution if it is not integrated with popular CMP solutions like vRealize Automation or OpenStack in a private cloud environment?
- Do you think the daily operational demands of security, like changing firewall rules, are the responsibility of security experts?
- Do you want to adjust the security policy manually every time an application is deployed or migrated?
There are two types of security functions in a cloud platform: basic services and add-on services. Basic services are essential services that are widely used in most scenarios, like the firewall services used to isolate workloads and block threats. At many cloud providers, legacy firewall solutions are network- or host-based, which means they are not ideal solutions for granular control or manageability. By contrast, the hypervisor is an ideal place to monitor and filter I/O. You can:
- Define logical security boundaries by business needs.
- Deploy user-friendly ways to identify and define firewall rules.
- Enable access control policies to follow the workloads they protect automatically.
In other words, with such an approach, there is no added cost to enforce security protections.
Software-defined perimeters and micro-segmentation are key elements of cyber security. But you can only adopt these new technologies via a distributed firewall running on the hypervisor. If you want to consolidate the resources in different datacenters to implement a disaster recovery or active-active framework, such an approach makes it as easy to manage multiple datacenters as it would be to manage a single datacenter. In addition, VMware embeds stateful firewall services into ESXi—a high-performance, stable, and easier-to-manage solution.
We can tell a similar story about application and date security. Imagine you depend on the SOC layer to detect and prevent security threats, and that the SOC depends in turn on lots of security solutions to monitor and control the IT systems. This approach is very complicated, requiring lots of restrictions and limitations applied to protect the business. However, if you adopt some behavior analysis solutions at the cloud platform level, things become much easier. Suddenly, you can see all system and application process activities. You can easily manage both in-band and out-band changes. And you have incomparable visibility into good behaviors and bad behaviors (i.e. figuring out the good ones and treating the rest as bad). With these basic services, you can dramatically reduce security risks in the cloud. Add-on services such as Anti-virus, DPI, WAF, etc. are also very important, and VMware has created an ecosystem that extends to a wide range of security vendors.
This unified strategy can standardize service delivery and operations. Security solutions from third-party vendors can interact via a standard method, all managed in a single panel. You can protect any kind of workload in the cloud—applications running in VM, virtual desktop infrastructures, and cloud-native apps in containers—with the same set of security services. You can delegate some daily security operations to cloud operation teams or even automate them with blueprints or policy definitions. As a result, compliance in the cloud becomes simple. Your cloud operation team can get a compliance report whenever they need, and the cloud platform can always enforce the policy, monitor compliance continuously, and fix compliance issues immediately.
I worked at a security company before I joined VMware, where I learnt that most of customers thought that security virtual workloads and data were complex to manage because these resources were spread all over the enterprise, and there was no way to ensure these resources were securely managed and well protected. Traditional solutions focused primarily on anti-virus, network access control, host firewall, and data lost prevention, which inevitably increases complexity and raises the risk of losing control.
Challenges of securing virtualized workloads include compliance and management issues. BYOD strategies make that challenge exponentially larger. And if you want to introduce IoT technology, security protections become a nightmare if you rely on traditional security solutions.
What VMware has done in enterprise mobility market is fantastic. We have taken modern approach in leveraging enterprise mobility management to access virtual workloads and corporate data. Compliance becomes easier since all virtual workspaces are always running atop the hypervisor. This means you can change the policy whenever the business requires it, and this new policy will be updated to the related user environment immediately. Additionally, we protect the virtual workspace and the resources in it. Access policies are defined by identity and object, making it much more user-friendly and less intrusive. As a result, you can keep digital workspaces safe and make end users happy with easy access to their resources. Finally, you have an ultimate data security solution. All sensitive information—business plans, contracts, customer information, product designs, source code etc.—can be kept in the datacenter. Authorized people can access them remotely, but they are prohibited from downloading this information to their devices. In other words, you have a transparent data fence around the datacenter, making it both easier to use and more secure than content-based data loss prevention solutions.
Because VMware mobility solutions cover all kinds of scenario and devices, you gain unified security protection for both applications and data everywhere, from legacy computers to stylish mobile devices and the IoT gateway.
VMware is famous as a cloud computing solution leader. Now security, as becomes a vital part of cloud operations, VMware keeps on investing in the cyber security space. In the diagram of VMware’s security approach below, you will see three images of locks. They represent identity and data security, application security, and infrastructure security. With our state-of-the-art technologies, together with add-on solutions from our security partners, we can help you run any application on any cloud, and access resources with any device, from anywhere, and at any time, SAFELY.
Learn more about the Virtual Cloud Network and VMware Security Solutions.
Follow us on Twitter at @VMwareSecurity