VMware vShield Zones, a new security service for vSphere, ensures strict compliance with security policies and industry regulations for user data as customers adopt cloud computing with virtual environments for increased efficiency and flexibility. Previously, compliance required diverting network traffic to external physical appliances resulting in disconnected ‘islands’ of infrastructure. With VMware vShield Zones, customers can now create logical zones in the virtual datacenter that span all of the shared physical resources, and each zone represents a distinct level of trust and confidentiality. This allows businesses to comply with corporate security policies and regulations on data privacy while still running applications efficiently on shared computing resource pools.
Traditional security products, such as firewall appliances, require that all network activity pass through a handful of fixed physical locations in order to be monitored. Virtualized applications, in contrast can be migrated between physical hosts for higher resource efficiency and improved uptime. Therefore, companies virtualizing security sensitive applications faced the choice of either leveraging virtualization capabilities such as live migration for optimal load balancing and availability, or enforcing strict security compliance. To solve that dilemma, most customers ended up dividing their virtual environments into smaller, less efficient clusters for areas such as their Internet-facing demilitarized zones (DMZ’s) or consumer credit data processing systems subject to Payment Card Industry regulations. VMware vShield Zones enables customers to create security zones within enterprises or in multi-tenant cloud infrastructures, where security policies are enforced even as virtual machines dynamically migrate between hardware devices. Deployed as a virtual appliance and integrated into vCenter Server, vShield Zones makes it easy to centrally manage and enforce compliance with security policies across large pools of servers and virtual machines. Built-in auditing capabilities make compliance straightforward and verifiable.
As an example, today you send network traffic to an external Network IDS/IPS box which becomes a chokepoint. With this feature all that traffic can be handled internal to the virtual infrastructure. Similarly, there is also the capability for packet/protocol monitoring to be on the alert for SQL insertion or other data oriented attacks. By combining multiple layers of the security “onion” within the virtual infrastructure you can more easily pass security and compliance audits will eliminating much of the costs associated with these activities.
