posted

0 Comments

vSphere Platinum ShieldThere’s a growing idea in the greater VMware community that the role of the Virtualization Infrastructure Administrator (VI Admin) is changing. If you’ve been to a VMware User Group conference recently you will have seen & heard talks on this, how VI Admins are being asked to do new things and being offered opportunities outside of their traditional comfort zone. Frankly, this is good. It’s a sign that siloes in IT are starting to erode, not just in our minds, but also in practice.

Nowhere is this more important than with information security. While many organizations have dedicated Infosec and Risk Management staff reporting to the CISO, it’s often the case that those groups are focused on creating policy and auditing for compliance, as well as incident handling and security threat modeling.

This means that the actual front line of security in an organization is the IT operations staff, the folks that traditionally consider themselves VI admins, sysadmins, network administrators, and such. Daily decisions made by operations teams have serious implications for security, whether it’s system designs, user account maintenance, capacity management, or patching cycles.

You can see why a VMware SVP like Tom Corn keeps talking about security being a team sport, then. In a recent article for sdx Central he talked about how this is having a direct effect on VI Admins:

“Because of this, vAdmin job descriptions are starting to include security-specific roles, he added. ‘Things like taking an active part in security initiatives, setting up virtual infrastructure securely, tightening virtual infrastructure, dealing with vulnerabilities in VMs.’”

“And it also means that everyone is on the same page when it comes to protecting workloads and data, Corn said… ‘They are now all working together on the same problem as opposed to being completely siloed — siloed views are where you have misalignment and misconfiguration, and that ultimately leads to data breaches. The beauty of having the infrastructure team involved is starting to have a single version of truth.’”

Right on. Tools like VMware AppDefense, part of vSphere Platinum, help create a single source of truth by providing infrastructure-level views into workload integrity and connectivity, for both infosec and the operations teams. It flips the legacy antivirus model – looking for an always-outdated list of bad things – on its side in search of a much more efficient and secure way of securing endpoints.

VMware NSX makes it easy for network security policies to be applied around a single VM, which in turn makes it much simpler to troubleshoot and to audit. vRealize Operations Manager, vRealize Log Insight, and vRealize Network Insight offer deep visibility into the environment, from the infrastructure to the workloads.

VMware Cloud on AWS offers all the capacity & flexibility of the public cloud with the interfaces & products that organizations already know. It has become a valued abstraction layer across clouds that helps organizations of all sizes and types consume the public cloud at their own pace while solving real, time-sensitive business problems.

Not only do you have single sources of the truth, but you can also start having single processes and methods for securing workloads. Take VM Encryption for example. It’s a core feature of vSphere present since 6.5 and it enables VI Admins to implement data-at-rest encryption using whatever storage they have already, regardless of guest OS or applications. Because the encryption is done inside the infrastructure itself it’s completely transparent to the workloads. Want to encrypt that old Windows Server 2003 VM you can’t quite get rid of yet? No problem.

Better yet, it’s one process for humans to follow. You don’t have to manage documentation for Bitlocker on different versions of Windows, or dm-crypt on different versions of Linux. One source of truth, too – when an auditor would like to check the encryption state of VMs it can be done with one line of scripted code in vSphere, compared to the complexity of auditing individual workloads. The robust access control model in vCenter Server also means you can give that auditor the ability to check on their own, reducing friction and speeding results.

vSphere Features & the Infosec CIA Triad

There are lots of examples of how VMware makes things easy to be secure. Just look in the configuration settings for a VM itself! Want to enable Secure Boot, to make it difficult for malware to infect a guest OS? It’s a checkbox. There’s also Virtualization-Based Security (VBS), or what Microsoft uses for the Windows security features Device Guard & Credential Guard. VBS is an important tool for organizations to stop credential attacks on Windows, and is now mandatory in the recent DISA STIG for Windows Server 2019. Like Secure Boot, VBS is simply a checkbox in the VM configuration, and then you enable the feature inside Windows just as you would on desktops and physical systems. There’s incredible complexity under the hood to make that happen, but that’s VMware’s challenge to deal with.

Making it easy to be secure means we increase the odds that it’ll happen, without major staff time expenditures or retraining. This is true for secure defaults, too, which is another goal of ours. Shipping products that are secure shortens implementation times and lightens the load on both infosec and IT operations. It also means that compliance activities are easier to accomplish, because good security means good compliance.

It’s safe to say that everyone from the C-suite on down just simply wants things to be straightforward, secure, and compliant, so they can get back to doing more interesting things and moving their organizations forward. Teams working together collaboratively through VMware products like vSphere Platinum and VMware Cloud on AWS helps erase the hard lines between VI Admin, infosec, network admin, and storage admin in a way that improves overall security, is safe and respectful of careers and skill sets, and allows VI Admins and their peers to grow as new challenges and technologies appear.

 

About the Author

Bob Plankers

Bob Plankers works in the Cloud Platforms group at VMware, focusing on all forms of vSphere security. Prior to joining VMware he spent more than two decades leading cross-organizational teams that designed, built, and operated reliable, secure, and compliance-oriented IT infrastructures. He can be found at blogs.vmware.com, bob.plankers.com, lonesysadmin.net, and @plankers on Twitter.