This year’s VMworld showed new directions for VMware, which previously seemed a bit disoriented in the cloud computing revolution.
Following up on their prior goal of being the Switzerland of software, VMware is aiming to become the universal middleware for physical and software-defined data centers, leveraging Dell’s deep partner ecosystem. And this is also evidenced in their efforts to partner with AWS as the first partner in a strategy of “any cloud and any workload” which will soon include Azure and Google Cloud.
Besides helping their customers to build fully-digital data centers in the cloud, VMware is also working on securing both the virtual plumbing and the virtual endpoints. This could be a new paradigm for digital security, according to CEO Pat Gelsinger at the opening keynote.
There were two key announcements made at VMworld that support this. First, the result of their often mentioned Project Goldilocks, an endpoint security app called AppDefense that leverages existing VMware infrastructure to monitor and alert when virtual endpoints change to unexpected states.
In part, AppDefense is about applying least privilege and white-listing security paradigms ubiquitously to virtual infrastructure.
“AppDefense delivers an intent-based security model that focuses on what the applications should do — the known good — rather than what the attackers do — the known bad. We believe it will do for compute what VMware NSX and micro-segmentation did for the network — enable least privilege environments for critical applications,” said Tom Corn, senior vice president of security products, VMware.
When a threat is detected, AppDefense leverages vSphere and VMware NSX to automate the correct response to the threat. For example, AppDefense can automatically:
Block process communication
Snapshot an endpoint for forensic analysis
Suspend the endpoint
Shut down the endpoint
Another major security tool for virtual infrastructure is NSX Cloud, a version built to provide network security for the hybrid cloud.
“We find it to be a positive development that VMware is delivering enhanced security capabilities to complement multi-cloud architectures. The opportunity to enforce consistent policies at the network layer through micro-segmentation is an attractive feature/benefit combination of NSX network virtualization. Although we have more to learn about AppDefense, the concept holds similar potential within virtual machine operating systems and applications. These technologies enable greater control ... by taking advantage of both public and private clouds and express the desire for workload mobility for reasons of rapid capacity expansion, data sovereignty isolation, disaster recovery, and more,” said Jon Rosenson, senior vice president at Expedient.
In his August 28 blog entry on the VMware web site, Alex Berger, product marketing manager, Networking & Security, wrote, “AppDefense is the other half of the puzzle. Whereas NSX prevents threats from moving freely throughout the network, AppDefense detects anything that does make it to an endpoint and can automatically trigger responses using through integration with NSX and vSphere.”
UNIVERSAL CLOUD PLUMBING
NSX, VMware’s network security offering for micro-segmentation, is becoming the glue that can build and integrate hybrid clouds. There are now two flavors: the on-prem version that runs with vSphere, and the new Cloud-Based as-a-Service NSX Cloud.
VMware Cloud on AWS uses multiple VMware products, including NSX for networking and security. NSX Cloud, on the other hand, focuses on workloads running natively in different public clouds, such as an Amazon EC2 for instance in the AWS cloud.
Since NSX Cloud is a service, it does not require NSX, or any VMware software, on-premises. VMware Cloud can replace tools that are specific to each public cloud like AWS CloudWatch and Azure Monitor.
In his VMware blog on August 28, “Introducing NSX Cloud,” Mark Schweighardt, director, product marketing, Networking & Security, wrote, “NSX Cloud provides an abstraction layer that is independent of the underlying cloud networking constructs. You can think of NSX Cloud as a way to bring your own enterprise networking management and controls to the public cloud. This gives IT more precise control over the networking topologies, traffic flows, IP addressing, and protocols used within and across public clouds. For example, IT can easily stretch NSX Cloud subnets to applications running across multiple regions or clouds.”
Taken together, these new offerings place VMware solidly in the cloud security arena.
According to Chris Williams, an Enterprise IT consultant at GreenPages in Kittery, Maine, VMware missed customers’ real needs in trying to launch their own cloud service. Instead, he said, nearly every customer wants to take their on-prem workload and move these up to any cloud without refactoring to AWS, or Azure, or Google, or any cloud. Williams likes the cloud partnership with AWS. “Marrying them together is like a dream come true.”
“VMware is uniquely positioned in data centers,” Williams said. “App Defense is a first shot at filling some of the blind spots other security companies miss. It looks like it will be very cool,” Williams added. “I still have more questions, but I like fact that you can use it to see anomalous behavior. For years I have been working with customers who needed info on their steady state. I think that VMware will figure out how to use this steady state info with other security partners.”
Evidence of initial integration partnerships came from Carbon Black and IBM, which announced links to AppDefense at VMworld. These partnerships incorporate VM-level detection data from AppDefense into security analytics.
Williams was also part of the dedicated vBrownBag group that held focused tech talks at VMworld. They have streamed these tech sessions live from VMworld for several years, but this year the sessions were listed in the conference schedule builder and attendance exploded at the vBrown Bag Tech Talks.
Many of this year’s VMworld tech talks will be posted on their YouTube channel. Visit vBrownBag.org for details.
“VMware is applying security in two areas, its own infrastructure and cloud infrastructure,” Jon Oltsik, senior principal analyst at ESG, told Mission Critical. “In this way, AppDefense complements traditional static security controls.”
“[NSX Cloud is] a good move for VMware controlling cloud and ESx policy and network segmentation centrally. The challenge is for organizations who are more aggressive with cloud and not as active with ESx,” Oltsik said.
“We do intrinsic digital security for the new digital enterprise. IT infrastructure is no longer held in the four walls of the data center. The infrastructure is everywhere. That is what our customers are facing now and we have a footprint in this entire infrastructure. We can help simplify and consolidate the way customers approach security,” said Chris Campbell, director, security solutions, VMware, summing up the company’s approach to the cloud.
Videos of the top sessions of VMworld are now posted at http://bit.ly/2wQaWbe.