Author Archives: Edward (Allen) Shortnacy

Enterprise Application Migration Technologies – Finding the Right Fit


When looking at the adoption of public or hybrid cloud, one of the primary considerations must be how to migrate existing workloads to the target platform. Choosing the right migration tool(s) will prove critical in the coaching of customers, mainly their IT and application owners, to address this challenge. There are many VMware vCloud® Air™ Network architectures that can provide workload mobility where capabilities, like hybrid cloud networking enabled by VMware NSX®, and other solutions, such as VMware Site Recovery Manager™, might be in place. Enterprise migration technologies however, span a much broader scope than that of moving applications hosted on physical or virtual infrastructure to a cloud architecture. Specifically, these tools address the enterprise architecture features required to discover, plan, and execute migration, while allowing for scheduling and systems level dependencies.

VMware offers tools that address many of these needs and some have been described in the VMware vCloud Architecture Toolkit™ for Service Providers (vCAT-SP) blog and white paper.  As stated in the vCAT-SP documentation for migration, offerings will not meet all requirements for migrating workloads to the cloud, and the purpose of this series of blogs is to allow VMware Technology Partners to discuss their solutions and advocate for why they might be the best choice in many situations. Many standard forms of analysis will apply to the evaluation of enterprise migration technologies, including common items such as pricing, support, or strategic direction. This series of blogs will focus on the more technical aspects, such as ease of deployment/usage, versatility, reliability, scalability, and security. The blog entries will also cover optimal use cases addressed by the partner solutions, often with customer references.

The first blog in this series is with VMware Technology Partner ATADATA. In particular, their enterprise migration solution focusing on their ATAvision and ATAmotion products. The combination of these two offerings fits into the “Discover & Assess, Job Scheduling, Workload Migration, Application Verification” lifecycle described in the blog and vCAT-SP documentation referenced above. The first three letters of the ATADATA name are an acronym for “any to any” and their deployment model, shown in the following figure, indicates their abstraction from the underlying physical, virtual, or cloud infrastructures that are part of an enterprise migration. This capability enables their technology to not only support many platforms (see ATADATA supported platforms), but to provide a consistent abstraction of underlying details for migrating between sources and targets of any supported type.
Continue reading

Managed Security Services Maturity Model for vCloud Air Network Service Providers


We’ve all heard about the many successful cyber-attacks carried out in various industries. Rather than cite a few examples to establish background I would encourage you to review the annual report from Verizon called the Data Breach Digest. This report gives critical insight for understanding how the most pervasive of attacks are executed and what to protect against to impede or prevent them. In order to provide a sound architecture and operational model for this purpose of protection, let’s look at some universal principals that have emerged as a result of forensics from these events. Those principles are time and space. Space, in this case, is cyberspace and involves the moving digital components of the target systems that must be compromised to execute a successful attack. Time involves events that may occur at network or CPU speed, but it is the ability to trap those events and put them into a human context, in terms of minutes, hours, or days, where security operations can respond. The combination of unprotected attack vectors, already compromised components of the system, and the inability to spot them, creates what are known as “blind spots” and “dwell time” where an attacker can harvest additional information, and potentially expand to other attack vectors.

While all of that is hopefully easy to understand, we have to face the reality that many attacks still occur by using compromised credentials from social engineering. These credentials provide enough privilege to establish a foothold for command and control used in a cyber-attack. For this reason, we want to employ one of the core principles of the Managed Security Services Maturity Model, known as Zero Trust, or the idea that every action must have specific authentication, authorization and accounting (AAA) defined. By subscribing to this maturity model as a VMware vCloud® Air™ Network service provider, you will uncover ways in which you can leverage features, such VMware NSX® Distributed Firewall and micro-segmentation, putting you well on the road to offering services that can help customers address potential blind spots and reduce dwell time, thereby taking control and ownership of their cyber risk posture. No matter how nefarious a rogue entry into target systems is, or what escalated privilege was acquired, the Managed Security Services Model will limit the kind of lateral movement necessary to conduct consistent ongoing attacks, or what is known as an advanced persistent threat (APT). Although not all occurrences are APTs, by understanding the methods used in these most advanced attacks, we can isolate and protect aspects of the system required to execute a “kill chain,” essentially allowing ownership of a system in undetectable ways.

Managed Security Services Maturity Model

Cyber security, in its entirety, is a vast concept not to be given justice with a small set of blog articles and white papers. However, given the expansive nature of cyber-threats in this day and age, along with the ratio of successful attacks, information technology needs to continually seek out new approaches. One approach is to create as much of an IT environment as possible from known patterns and templates of installed technologies that can be deployed with a high fidelity of audit information to measure their collective effectiveness against cyber-threats. This turns on its head the idea of protecting environments against an exponentially exploding number of threats with greater diversity in the areas frequently attacked, and instead refines deployed environments to accept only activities that are well defined, with results that are well understood. Simply put, measure what you can trust. If it can’t be measured, it can’t be trusted.

Once again, this approach touches on a large concept, but it is finite in nature in that its definition seeks to gain the control needed to deliver sustainable security operations for customers. To further illustrate this point, let’s think about the idea of what a control and the maturity model affords the operator in pursuit of their target vision. First, is the idea of “control,” which simply put in cyber security terms means defining a behavior that can be measured. This could be architecture patterns expected from the provider layer, such as data privacy or geo-location, or automation and orchestration of security operations. Second, is the maturity model itself, which has prerequisites for executing on specific rungs of the model, along with providing operational and security benefits. One output of each rung of the maturity model is the potential set of services to be offered to aid in the completion the customer’s target cyber security vision.

Enter the Managed Security Services Maturity Model, which encodes the methodology for capturing each customer’s ideal approach and provides five different maturity “layers” that aid vCloud Air Network service providers in delivering highly secure hybrid cloud environments. Looking at Figure 1, we can see that the ideas of time and “geometry” (networks and boundaries we have defined), along with the provider (below the horizontal blue line) and consumer (operating system and application runtimes) layers, provide us the cyber dimensions we seek to define and measure.

Maturity Model

Figure 1. Managed Security Services Maturity Model

Like most capability maturity models, when starting from the bottom we can often borrow attributes and patterns for service from the layers above. Generally, however, we need to accomplish the prerequisites for the upper layers (Orchestrated and above) to truly be considered operating at that layer. Often, there are issues of completeness where we must perform these prerequisite tasks n number of times in the design of our architecture and operations to have mobility to upper levels. For instance, to complete the Automation level, you should plan to automate on the order of about a dozen elements although your mileage may vary.

You may find more work to be done moving up the levels as you determine the right composition and critical mass of controls appropriate to deliver for targeted customer profiles. In the case of our maturity model, we will bind several concepts at each level to ultimately achieve the Zen-like “Advanced” layer 5, where we truly realize the completeness of the vision to own cyber security for our customers. A big responsibility to be sure, but perhaps a bigger opportunity to change the game from the status quo. The offering of managed services composed of facets from all levels is not for everyone but there is plenty of room to add value from all layers.

We have defined the following layers for the Managed Security Services Maturity Model:

  1. Basic

At this level, we introduce VMware NSX, VXLAN, and the Distributed Firewall to the hybrid cloud environment. This allows us to create controlled boundaries and security policies that can be applied in an application-centric fashion, resulting in focused operating contexts for security operations.

  1. Automated

At this level, we want to automate the behavior of the system with regard to controls. This will prompt security operations with events generated by discreet controls and their performance involving established measurements or tolerances. The goal is to automate as many controls as possible to become Orchestrated.

  1. Orchestrated

After we have many controls automated, we want to make them recombinant in ways that allow for controlling the space, or the “geometry”, along with coordinating events, information, automated reactions, and so on, which will allow us to drive down response times. These combinations will result in “playbooks,” or collections of controls assembled in patterns that are used to combat cyber threats.

  1. Lifecycle

Taking on full lifecycle responsibility means just that. We might monitor in-guest security aspects like anti-virus/malware or vulnerability scanning in discreet, automated, and even orchestrated ways in previous levels. This level, however, is about actually taking ownership of operating systems and perhaps even application runtimes within the customer virtual machines. By extending managed services to include what is inside the virtual machines themselves, it is possible to take ownership of all facets of cyber security regarding applications in the hybrid cloud.

  1. Advanced

At the Advanced level, we must be able to leverage all previous levels in such a way that managed services can be deployed to remediate a cyber-threat or execute on a risk management plan to help address security issues of all types. Additionally, we want our resulting cyber toolkit derived from the maturity model to become portable, in appliance form, where managed security services can be delivered anywhere in the hybrid cloud network.

In the upcoming series of blog postings that describe VMware vCloud Architecture Toolkit for Service Providers (vCAT-SP) reference architecture design blueprints and use cases for each maturity level, vCloud Air Network service providers can help customer’s to visualize what it will take to both architect and operate managed security services used to augment the hybrid cloud delivery model.

Eliminating Blind Spots and Reducing Dwell Time

The cyber defense strategies that are devised based on achieving levels of the maturity model focus on defining individual elements within the system. Management user interfaces, ports, session authentication, as well as virtual machine file systems, network communications, and so on, should be defined to allow alignment of controls. In addition, the provisioning of networks between the resources that consume services and those that provide them, such as management components like VMware vCloud Director® or VMware vCenter™, DNS, or Active Director and logging of network components (including those that serve end user applications to their communities), should also occur in as highly an automated fashion as possible.

In this way, human-centric, error-prone activities can be eliminated from consideration as potential vulnerabilities, although automated detection of threats by discreet components across cyber dimensions is still expected. A high level example of how we expect these discreet, automated controls to behave is described by Gartner, who defines the concept of a “cloud security gateway” as “the ability to interject enterprise security policies as the cloud-based resources are accessed”. By defining controls for system elements and their groupings in this way, we can form a fully identified inventory of what is being managed and by whom as well as where it resides. Likewise, by understanding and quantifying the controls in the system that are applied collectively to these elements, we can begin to measure and score their effectiveness. This harmonization is critical to deliver the consistency in the enforcement mechanisms we can rely on across both sides of the hybrid cloud creating the foundation of trust.

Despite our efforts to inventory all elements within systems, attacks will still arrive from the outside world in the user portions of the application stack, for example, through SQL injection or using cross-site scripting techniques. The threat of compromised insider privileged users will still be present as will “social engineering” methods of obtaining passwords. However, the “escape” of a rogue, privileged user to a realm from which they can continue their attack has been minimized. We have taken the elements of time and space and defined them to our advantage, creating a high security prison effect and requiring new vulnerability exploits to be executed for each step in the kill chain.

Because the attackers generally deal with a limited budget and time in which to execute a successful attack, often times even our simplest security approaches are enough to make us the safest house on the block. Also, because of the likelihood that all activities that occur within the environment are well known, effectively generating high confidence indicators or signals, and very little noise as a sensor, anomalies are easy to spot. Given the presentation of those anomalies and playbooks already available to address many adverse operating conditions, you are providing customers the ability to deliver a credible response to threats, something that many lack today.


The goal of vCloud Air Network service providers and their partners should be identifying cyber security challenges that customers face, as well as which meaningful, coarsely grained packages of managed services can be offered to help tackle those challenges. By aligning with the Managed Security Services Maturity Model, providers can leverage the VMware SDDC and VMware NSX software-defined networking and security capabilities to deliver something truly unique in the enterprise IT industry—a secure hybrid cloud. By further aligning these capabilities and services with those of application migration and DevOps (stay tuned for blogs on those and other subjects), and taking ownership of the full lifecycle of security, the potential of effectively remediating existing threats becomes possible. Together, we can help customers evaluate their risk profile, as well as understand how these techniques can minimize attack points and vectors and reduce response times, while increasing effectiveness in fighting cyber threats.

What you’ll see throughout the Managed Security Services Maturity Model is the creation of a “ubiquity” of security controls across each data center participating in the hybrid cloud. This ubiquity will allow for a consistent, trusted foundation from which the performance of the architecture and operations can be measured. Individual policies can then be constructed across this trusted foundation relative to specific security contexts consisting of applications and their users as well as administrators and their actions, leaving very little room for threats to go unnoticed. As these policies are enforced by the controls of the trusted foundation, cyber security response becomes more agile because all components are performing in a well understood fashion. Think of military special forces training on a “built for purpose” replica of an area they plan to assault to minimize unexpected results. Security operators can now be indoctrinated and immersed, knowing what scenes are expected to play out instead of constantly looking for the needle in the haystack. This will also ultimately create the ideal conditions for helping to rationalize unfettered consumption of elastic resources while also fulfilling the vision and realizing the potential of the hybrid cloud.

Migration Strategies for vCloud Air Network Service Providers

As a vCloud Air Network service provider, building and offering hybrid cloud services to customers based on the SDDC is only half of the battle. Making sure that they are able to consume that service with fluidity becomes a critical area of focus. The less friction this Cloud Migration process has, the faster the customer time to value and service provider time to revenue become.

To address this rather broad subject, VMware is publishing a new document, “Migration Strategies for Hybrid Cloud,” in the VMware vCloud Architecture Toolkit™ for Service Providers (vCAT-SP). This blog introduces high-level concepts from that document. These concepts are meant to help both service providers and customers alike understand the opportunities and challenges when undergoing migration to a hybrid cloud scenario. Because this topic covers a vast area of information, the document only covers a few of the use cases available. Many of the more advanced use cases are accomplished through VMware Technology Partners, so stay tuned to the vCAT blog for additional information on how these solutions can be leveraged for migration to the hybrid cloud.


Figure 1. High Level Tool Categories for Migration

Looking at the figure above, we can see there are four main categories of tools available to accomplish different phases of the migration workflow. While there is a possibility that each category will be provided discretely in a single tool, it is often the case that single tools function in more than one category. It is also quite likely for most migration use cases that operators must coordinate activities between the tools in a workflow. Some, or in a best case scenario, all of these capabilities are integrated to help parties carry out a significant number of steps depending on the variables required for each migration instance. Leveraging the SDDC and its APIs provides the opportunity to automate as many of these steps as possible, and many of the available tools will facilitate some level of this type of automation.

More often than not, however, the governance of the migration projects, or perhaps even programs, should be addressed with a Migration Center of Excellence. In this Migration COE, typically hosted by the service provider, will be one or more instances of this tool chain constructed to allow customers and potentially other partners to come together and understand all of the variations that may drive migrations. Too often there is a rush to the workload migration tools themselves to relocate applications to the cloud without having considered the pitfalls, risks, and even upside potential offered by looking at the problem holistically. Specifically, we want customers to leverage the SDDC along with other VMware and Technology Partner solutions to introspect current application architectures as well as plan, and perhaps automate, the target tenant consumption of the service provider. The Migration COE allows us to visualize the “best fit” combination of tools and processes to plan the customer migration experience. The more information that can be applied to the process, the better.

By gleaning all of the potential information about source infrastructure and applications, we can create a repository of knowledge to plan migrations. The more virtualization and cloud-oriented solutions that are installed on the customer premises, such as VMware NSX® or VMware vRealize®, the more “migration ready” applications under the management of that infrastructure become. This is due to the ubiquity of the target hybrid cloud architectures, both built on the VMware SDDC. The primary function of the discovery and assessment tools is to ascertain the dependencies of the applications at a functional technology level. Examples of this might be DNS, PKI, or other authentication/authorization services, such as LDAP, that need to be made available to the application in its new post-migration home. Determining these dependencies will go far in planning for the serialization and parallelization of follow-on tasks related to migration and help to feed the three downstream task types—job scheduling, workload migration, and application verification. A great example of this customer-centric approach to discovery and assessment leverages VMware NSX and VMware vRealize Log Insight™. Once configured, the solution provides visualization of network activities through the Log Insight NSX for vSphere Content Pack v3, including application component interaction through networks and ports as described in this video.

Another important topic discussed in the migration document is workload mobility. There are a number of ways to provide hybrid cloud network connectivity (some are described in the blog Streamlining VMware vCloud Air Network Customer Onboarding with VMware NSX Edge Services), and many ways in which customers understand the concept of workload mobility. Because of the SDDC abstraction, many concepts discussed in the vCAT-SP use the terms “underlay” and “overlay”. While there is an obvious requirement for Layer 3 network connectivity to each site, the architecture will depend on the VMware software capabilities available at each site. Customers may choose VMware vSphere® metro clusters, a disaster avoidance scenario using VMware vSphere Replication™, or disaster recovery with VMware Site Recovery Manager™.

The Migration COE may include recommended methods based on any or all of these capabilities to help understand which may be appropriate in what situations. The hybrid network types in the previous paragraph provide workload mobility in the SDDC portion of the underlay that require VMkernel ports and operations. Migration solutions discussed in the vCAT-SP migration document, however, focus on the overlay consumption of hybrid cloud networks provided by VMware NSX in the creation of target environment capabilities to facilitate acceptable application characteristics in the new hybrid cloud location.  For example, the creation of VMware NSX Distributed Firewall policies for application-centric micro-segmentation as described in the vCAT-SP blog, Micro-Segmentation with NSX for vCloud Air Network Service Providers. Because the overall costs of labor in a migration can exceed 50%, as described by pro forma cost model in this Forrester brief and detailed in this blog, migration becomes the lynchpin for the entire process of acquiring and recognizing new customers consuming the services offered. Choosing the right combination of tools and labor then is in the critical path to making sure migrations function in an optimal fashion.

Another critical facet that that might be outside of the Migration COE is capacity planning. The different methods used in workload mobility require specific underlay network capabilities to achieve their goals, mainly bandwidth/throughput and latency. More information on underlay networking for hybrid cloud can be found in the vCAT-SP document, Architecting a Hybrid Mobility Strategy with VMware Cloud Air Network. It is important to understand that the entire phenomenon of workload mobility, including migration, is a numbers game and not just of network performance. The customers will demand an understanding of how the application will be managed for performance and maintenance in the new environment, perhaps through SLA’s, which will be used to forecast the service provider’s TCO of the hosting environment. Provider compute/storage/network infrastructure must be provisioned in time to accommodate new tenant migration activities including potential shared transfer storage along with ongoing performance requirements. Some of the main drivers for the application cutover itself can be related to Recovery Point Objectives/Recovery Time Objectives, perhaps requiring the introduction of a hardware storage replication scheme into the mix.  Consider also operational lead times for deploying and making these items ready for consumption and the potential ROI from automating as many tasks as possible.

Finally, one of the key reasons a service provider would drive their customers to collect the fullest amount of data possible is to leverage it to predict which customer workloads come with a “stickiness” to new services offered by the service provider and their partners. The ability to digest and manage all of this data in an effective, holistic way provides agility, creating a migration “funnel” of activities, fully leveraging but not exceeding capacities. This is achieved while also sustaining transparency to stakeholders, which is very powerful when a new journey is undertaken. Because vCloud Air Network offerings are built on the VMware SDDC you can be confident that it will offer the greatest compatibility and ease of both migration and mapping new operational procedures based on best practices in the vCAT-SP.

Micro-Segmentation with NSX for vCloud Air Network Service Providers

Micro-Segmentation with VMware NSX for VMware vCloud Air Network Service Providers


As a VMware vCloud® Air™ Network service provider running your cloud with VMware software, you’re probably familiar with technologies such as VMware NSX® and how they can be used to accomplish huge paradigm shifts within the enterprise data center. Micro-segmentation is one of the phenomena brought about by VMware NSX that facilitates one of these shifts—software-defined networking and security. Owning and operating a VMware powered data center means you are also likely seeking to leverage differentiators in the VMware platform to offer new, value-add services to your customers. What might not be clear, however, is how to take a killer feature like micro-segmentation and build differentiating use cases into the platform that can help customers and other partners in solving many challenges.

This is the first in a series of blog posts designed to help vCloud Air Network partners to do just that—offer new, differentiated services that leverage software-defined networking and security. These blog posts serve as a vehicle to introduce several forms of information. First will be the published reference architectures that match the subjects of these blogs, in this case, micro-segmentation. Second, use cases based on the reference architectures will be provided. Last, the Managed Security Services Maturity Model will offer the opportunity to provide increasingly enhanced security-related services to our customers by positioning those use cases within the maturity model that are the best fit. A separate blog on the maturity model is forthcoming.

Understanding Industry Challenges

Micro-segmentation is the ability to provide segmentation at a micro, or VM, level. Micro-segmentation may employ different mechanisms for different components of the virtual machine and in this blog we are discussing the virtual network component. In days past segmentation was achieved by means of physical separation of the servers (and their network interfaces) in order to filter tiers of an application. This of course is inefficient at best to do in a cloud computing environment although many customers and service providers are left to do just that in the name of security, compliance, etc. In the purest sense then, micro-segmentation is about bringing functionally equivalent segmentation to the virtualization layer effectively allowing virtual machines to exist in an isolated security context while consuming shared resources.

One of the fundamental challenges solved by micro-segmentation is East/West traffic in the data center. Simply put, micro-segmentation provides the ability to apply network-centric controls to virtual machines without “hairpinning” traffic, or taking all packets between every virtual machine and passing them through centralized firewall technologies to be filtered. This legacy approach creates immense operational challenges for managing physical network components, including VLANs, cabling, and overall throughput of the security devices. From a security perspective, any traffic that cannot use the hairpinning method of transport falls outside of policies, and renders “blind spots” for cyber threats to communicate. While many vendors make virtual versions of their firewall and other security appliances, performance suffers due to serialization of network traffic across many contexts in the virtualization stack.

To address many of these challenges, VMware NSX introduced VXLAN and Distributed Firewall to the mix. VXLAN extends virtual Layer 2 subnets, known as “overlay” networks, over any physical Layer 3 routed network, also known as the “underlay” networks. In addition, VMware NSX now provides a stateful, virtual firewall running in the VMware ESXi™ hypervisor memory space, right next to where the network traffic is serialized from the physical network interface. This provides not only tremendous performance benefits, but also the ability to deal with firewall tuples that are no longer bound only to the “old school” mechanisms of TCP ports, IP addresses, and so on. VMware NSX Distributed Firewall now includes next-generation features like Active Directory security identifiers, and dynamic groups of VMware vSphere® objects, where policies can be enforced independent of, or in addition to, network configurations of protected virtual machines. What is perhaps most important, no matter where those protected vSphere objects might reside in terms of ESXi hosts across a hybrid cloud, they will be protected by those policies enforced within the hypervisor space prior to being serialized for network I/O. To level set readers in understanding these concepts, see this short video:

VMware NSX Hybrid Cloud Networks and Micro-Segmentation

While this awesome new capability opens many opportunities for VMware and vCloud Air Network partners to offer something truly unique in the industry, the ways to deploy the micro-segmentation pattern must be addressed. To evaluate the critical path items, first consider the potential deployment models and types of managed services that can be offered to aid in adoption of this new method of deploying firewall security into the hybrid cloud. Prerequisite to understanding the ideal deployment model for micro-segmentation will be the planning of how to deliver the “underlay network” or the Layer 3 path from the vCloud Air Network service provider data center to the customer premises. Once this is understood, the types of VXLAN networks, along with potential Layer 3 routes, will need to be prescribed for both underlay and overlay. This approach will be decided by each service provider but does have implications as to how the NSX Distributed Firewall and micro-segmentation will be implemented.

For more background, remember that in vSphere 6 and VMware NSX 6.2, as detailed in the blog “Live Workload Mobility to a vCloud Air Network IaaS Provider” , VMware introduced features critical to the delivery of a hybrid cloud network. First was the ability for a VMware vSphere Distributed Switch™ to exist within a VXLAN network across VMware vCenter™ instances (VMware NSX Manager™ now supports up to eight vCenter instances). In addition, was the ability of cross vCenter VMware vSphere vMotion® operation which also synchronizes vSphere Distributed Switch definitions across participating vCenter instances. However, this doesn’t come without its drawbacks. In this scenario, the VMware NSX Distributed Firewall is restricted to the aforementioned legacy, or “old school”, network security tuples known as Universal Security Groups. These Universal Security Groups provide potential for shared management of policies, and assurance that migrated workloads come with a collection that is transportable across these domain boundaries (from private to public cloud). Note: Universal Services/Service Groups replicate Universal object states.

Deployment Models and Managed Services

Given the new paradigms introduced by VMware NSX Distributed Firewall, along with the myriad ways in which hybrid cloud networks can be architected and deployed, it becomes increasingly necessary to generate “line of sight” through not only the on-boarding process but also the process of taking ownership of workloads with regards to firewall policies. A critical exercise is to decide on questions such as whether or not you would support long-distance vSphere vMotion, and whether or not that is a one-time activity or can occur during only particular time windows as examples. To further illustrate this point, see Figure 1. below. In this case, up to eight vCenter instances are enlisted in a replication scheme to synchronize universal object types between them. This allows the inventory to stay updated relative to virtual machine location, network connectivity, and distributed firewall rules that will be applied.

NSX Universal

Figure 1. Multi vCenter Synchronized VMware NSX Universal Objects

While this provides the most freedom relative to workload mobility, and perhaps even elastic consumption in some cases, it does so at a loss of some of the more advanced security groupings used to dynamically enforce policies that will be discussed in future blogs. All is not lost, however, because advanced groupings and policy application are not excluded from participation. They are simply bound to a single vCenter in scope, and therefore, to a single NSX Manager on whichever side of the hybrid cloud they may lie. Because the Security Group option is available as a Universal object type, you can still group virtual machines for application of policies. However, those rules become static as opposed to the dynamic ones that are used to orchestrate many NSX security related operations.

As you will see in the upcoming blogs, this full VMware NSX security context is critical for delivering increasingly greater value in terms of security functions that you are able to offload for your customers as a managed service. While eliminating the network boundary between data centers and moving the firewall and its pertinent rule set to be enforced into each ESXi host, there remains a boundary between the private cloud or public side. This boundary is no longer necessarily of only networks but also management in nature consisting of objects with a universal context. The freedom given in operations like long-distance vSphere vMotion migration of virtual machines across these boundaries requires an understanding of how to take ownership of more facets of the customer workload that can benefit from security controls implemented by the provider, filesystem encryption, vulnerability scanning, or operating system patching just to name a few. This philosophy becomes critical in the delivery of a managed service where disruptive networking and security technology is employed.


This situation opens up opportunities to take ownership of security services management, such as firewall, along with the greatly simplified positioning of micro-segmentation, through a managed service. This will require careful coordination of items such as workload migration and application of security policy via Universal or standard NSX security groups. By defining optimal policies for each of the VMware NSX security realms and providing administrator sessions for customers to manage Universal objects (as Advanced Networking Services will do for VMware vCloud Director®), VMware wants vCloud Air Network partners to become Centers of Excellence for customers, conveying the delivery of advanced security capabilities.

Given the nature of shared responsibility that is required, many of the challenges in delivering micro-segmentation to the hybrid cloud are not unique. However, the opportunities relative to operationalizing security in a hybrid cloud model with your customers, are numerous. Managing the relationship with your customers becomes an integral part of how future services based on security will be offered. This relationship management, now consisting of even more diligence regarding what expectations should be on all sides, includes strictly-defined, measurable parameters for all security services to be delivered. With VMware NSX, its Distributed Firewall, and micro-segmentation, VMware is well on the way to delivering network security and operations in way that changes the very nature of these concerns for hybrid cloud from impediment to asset. All that is left is understanding and mapping the value in ways that can be effectively executed upon to reduce risk and to realize the hybrid cloud vision. Stay tuned for future blog posts here on the vCAT blog that will show you how to do just that.