by: VMware Head of Security Engineering and Architecture Brad Doctor and VMware Senior Security Architect Craig Savage
In part one of our blog series, we shared the two steps to implementing Zero Trust while building a better colleague experience. We’ll discuss the remaining five steps in this blog.
- Managing Office Networks: Wi-Fi by Default, Ethernet by Exception
The current model of connecting a portable computer to an Ethernet port creates a number of user experience and security challenges. Our Wi-Fi deployment supports most use cases with its high transfer speeds and reliability.The default for ethernet ports will be Off and will only be allowed for use on an exceptional basis only. Taking this approach removes the administrative overhead of doing it with Network Access Control (NAC) management. VMware IT will retain the ability to turn on an Ethernet port when necessary. This also helps VMware meet its environmental sustainability goals as we no longer need to provide Ethernet dongles with new laptops.
- Shifting Colleagues to Internet-only Access
When VMware IT transitioned 97% of the VMware workforce to work fully remotely during the pandemic, they physically moved colleague endpoints off the main network. This proved to us that direct corporate network access isn’t required. By removing the Ethernet port access in our office environments, we plan to provide Wi-Fi with managed, direct, internet access instead of corporate network connectivity. This will enable us to manage all user access in the same manner, rather than having one set of rules for office-based access, and another set for remote. All access becomes remote, and no end-user devices are permitted on the core network. The next step details how we further improve intrinsic security by removing the always-on VPN.
- Establishing Role-based Network Access Control Lists (ACLs)
VMware IT is removing another “default trusted” path to the network. VPN access will default to Off and be accessible when necessary. Once a device is authenticated, identity-defined policies determine which secure resources a colleague has access to—based on their role. Everything except the most critical systems is now accessible without the need for a VPN tunnel, using the power of Workspace ONE.
- Creating Network Blast Chambers for R&D and Support Teams
R&D and Support teams have use cases that require an isolated environment to contain the impact of their work to prevent harm to the corporate network. Creating network blast chambers as a micro-segmented area of the network provides an environment where they can do almost anything in isolation.
- Enforcing API/VDI-only for Admin Level Activity
Another best practice is to separate administrators from anything else they are currently working on when performing specific tasks. VMware IT prefers that privileged tasks take place via authenticated API access. Otherwise, we require that any CLI/UI level administrative tasks be completed via a Virtual Desktop Infrastructure (VDI) jump box. This user-friendly approach of working on stateless desktops provided by VMware Horizon mitigates risk by separating these activities from their endpoint.
While these are all important steps, VMware IT took a phased and manageable approach to achieving a Zero Trust model and ensuring a positive experience for our colleagues. In a future blog we will share the five pillars we used as the foundation for our robust Zero Trust environment.
For more details, visit the VMworld 2020 site to watch an on-demand video recording of our presentation on this topic. The title is Trusting Zero Trust: How VMware IT Reimagined Security and Resiliency, ISNS1059.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or email@example.com to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.