by Brad Doctor, Senior Director, Information Security, VMware
Security expert Bruce Schneier once said, “complexity is the enemy of security,” and this is definitely true today. The proliferation of cloud computing, anywhere/anytime mobile devices, and other emerging solutions within the modern enterprise infrastructure have created technology monsters that often outstrip their security capabilities. In fact, the typical large enterprise has an information security portfolio that includes more than 100 vendors and/or technology solutions.
At VMware, our IT teams realized that our infrastructure, too, was threatened by unnecessary complexity. Not only did our portfolio include 100+ technology solutions, but the majority were not well understood, not mission-critical, and in urgent need of simplification. We knew we needed to change our technology mindset in order to make VMware an agile (and secure) enterprise, today and tomorrow.
The guiding philosophy was to be secure, resilient, and compliant from the inside out, meaning architect security and compliance at the start, when it is by far the easiest and most effective to implement. Using these guidelines, we reduced our information security portfolio from 100+ disparate solutions to around 10 critically important capabilities. These are ones that our teams are expert at supporting, whether it’s security engineering, VMware Security Operations Center (SOC) or IT operations. This laser focus has enabled a level of agility previously unthinkable, let alone within reach.
This agility has a foundation in numerous VMware offerings, including:
Bi-directional Micro-segmentation via VMware NSX
Micro-segmentation enables us to achieve superior security and drive a higher level of IT operational excellence. For example, we gain a comprehensive understanding of application needs, and then in turn codify that in a secure, default-deny ruleset. Our teams started small with NSX in order to gain the operational competence and confidence required for future challenges. The system creates an automated zero-trust network with flexible policies aligned to each enterprise’s individual virtual network, virtual machines (VMs), OS types, dynamic security tags, and associated components. Polices can be defined according to logical groups—such as enterprise applications, training or business intelligence—down to the VM level. Security is so granular that it extends to the virtual NIC. (To read more about our deployment of NSX micro-segmentation, click here.)
In 2016, we deployed our first highly visible and highly critical application—SAP HANA. Each component of SAP had its own micro-segmentation rules tested by IT operations and signed off on by Information Security. Not only was this the one of the first implementations of SAP HANA on VMware vSphere, it was also the most secure. All new IT projects now require micro-segmentation, without exception. In fact, to date VMware has successfully implemented more than 47 micro-segmented applications. (To read more about our SAP HANA deployment, click here.)
We call this our ‘better sleeping’ solution. It represents a new era of partnership and shared accountability between information security and IT operations. Here, too, we started small in the form of a key management system (KMS), a mission-critical component. Having our KMS in an enforced state gives us the confidence—based on a known state—that the infrastructure is operating as we intend.
An added benefit of this early-on security and compliance approach has been the user response. Thanks to the incredible uptime IT operations is now able to deliver, overall satisfaction is significantly higher than with the traditional systems. That is what we call a definite win-win scenario.
To learn more, attend VMworld session LDT1719, Taming Security with Tools: Making Compliance a Reality
VMware on VMware blogs are written by IT subject matter experts sharing stories about IT’s transformation journey using VMware products and services in a global production environment. Visit our portal to learn more or follow us on Twitter: @VMWonVMW.