Security

Modern Art. VMware, Modern Security Architecture, and the Digital Future

By VMware VP of Security Engineering, Architecture and Vulnerability Management, Brad Doctor  

Modern security architecture (MSA) is becoming a necessity for enterprises to remain competitive in the digital age. Unfortunately, many companies still spend significant resources on securing outdated legacy systems instead of literally modernizing their operations with MSA.

But what is MSA exactly, and why is it is ideal for securing today’s enterprise infrastructure?

Here come the pod people

One of the foundations of MSA is segmenting data into pods, such that if one pod is compromised the entire ecosystem is not affected as with legacy solutions.

At VMware, we accomplish this pod architecture with micro-segmentation, as well as logical and physical segmentation. For example, starting with the VMware ESXi™ hosts, each distinct physical network interface card (NIC) is connected to its purposeful network. VMware vSphere® vMotion™, management, and virtual machine (VM) traffic all feature separate physical interfaces and networks. In addition, VMware NSX™ is employed to further isolate each pod and/or application environment. Within a given pod, secure intra-pod communication is enforced, including outbound traffic and administrative access.

Passwords are needed, why again?

Question mark tree on island

It’s a sad fact. Passwords are one of the most vulnerable ‘security’ controls, and that’s primarily due to human behavior. Good news is there are numerous secure alternatives that, as a bonus, also provide a seamless user experience. These include x.509 certificates for SAML authentication, FIDO Passkeys/tokens, Vault-backed SSH certificates at scale, and even traditional time-based, one-time passwords (TOTPs). Put simply, there is no good reason to use a password anywhere, ever.

On our part, VMware IT teams have gone to great lengths to eliminate passwords at every infrastructure level—from the core foundational gear all the way out to a user’s mobile device.

We gave up the domain

Goodbye sign

A domain is a fantastic way to distribute credential caches out to all your endpoints as well as increase your attack surface. It’s also a great way to start a threat actor feeding frenzy.

That’s why one of the key points of an MSA encompasses a domainless endpoint strategy. At VMware, we accomplish this with VMware Workspace ONE®, a domainless solution that enables virtually every policy one would normally expect—with no compromise. Teams leverage OS-native capabilities to patch endpoints, encrypt disks, and configure native host-based firewalls. This is all accomplished with a far smaller endpoint footprint, a fact that translates to superior user satisfaction and long-term performance/compatibility.

More importantly, each endpoint is unique and its own pod. Credentials used to login to the endpoint have absolutely nothing to do with anything else. Who you login as doesn’t matter—credentials employed are chosen by the ultimate user. This is a strategic decision designed to thwart threat actors—lack of uniformity means fewer vulnerabilities at scale.

Network . . . less?

road closed sign on winter road

How can something possibly be networkless? Easy.

Users only require internet access to consume applications required for their day-to-day activities. This is seamlessly accomplished with Workspace ONE and has the following benefits:

  • API-based application access
  • SAML authentication to enable strong passwordless authentication, as well as single sign-on (SSO)
  • End-to-end encryption of data in flight and at rest
  • Consistent positive experience across mobile and desktop platforms

How does being networkless help reduce risk? More than you think.

Think about a ransomware event. This normally requires authentication and network access. So, if there are domain-joined endpoints, authentication is easier for hackers to get. If network access is required for application consumption, then that potential breach condition is met, too. On the other hand, if there are no common credentials—and no implicit network access—then the bar for threat actors is set a lot higher.

Wrap up

In summary, MSA results in fundamentally reduced risk, with the added benefits of far higher end user productivity and satisfaction. Additionally, the resilience of the architecture enables a work-from-anywhere (WFA) model that is actually much simpler to manage than a legacy architecture, not to mention substantially more cost effective in the long run.

MSA is constantly evolving, so contact your account manager to book a briefing with one of our IT experts to learn the latest. For other questions, contact [email protected].

To learn more about how VMware addresses security, check out our blogs on the topic.

We look forward to hearing from you.

VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. To learn more about how VMware IT uses VMware products and technology to solve critical challenges, visit our microsite, read our blogs and IT Performance Annual Report and follow us on Twitter and YouTube. All VMware trademarks and registered marks (including logos and icons) referenced in the document remain the property of VMware.