Security Innovations: Architecture Is Key to Protecting Apps and Data

Tom Corn sees virtualization as fundamental to security innovations.

Virtualization can close “the architectural gap” that currently makes it so difficult for companies to stay a step ahead of the bad guys. According to Corn, VMware Senior Vice President of Security Products, the most interesting question about virtualization “is not simply ‘How do we secure virtualization? How do we secure this new layer?’ but rather ‘How do we leverage virtualization to secure things?’ That’s where I think the most interesting promise of the virtual layer lies.”

VMware invests heavily in new ways of improving management, operations, and security with virtualization technology. “That’s where a lot of the unique value is that we can provide, and we take this role very seriously,” said Corn during his session.

As security pros, we’re often the last people to the table after the infrastructure’s been built out, and then we’re told to secure it. That’s an incredibly difficult thing to do.

Tom Corn, SVP of Security Products

Virtualization as the Organizing Framework for Security Innovations

Virtualization is a layer in between physical infrastructure and applications. As such it provides a map—an application-oriented lens into the infrastructure—which enables IT to align security controls to protecting what matters most: the application and data. Virtualization is also the most ubiquitous infrastructure layer ever. It covers compute, network and storage, and even spans across clouds. Implementing security innovations in the virtualization layer provides controls that can move with the application—no matter where it goes.

VMware NSX, which provides the ability to do micro-segmentation, is a perfect example of how virtualization transforms network security. Corn showed that distributed network encryption technology extends the impact of virtualization to transforming data security.

“Encryption is not a bad solution, but operationally it’s such a pain to use,” says Corn. IT must ensure encryption does not interfere with things like deep packet inspection of data flowing through the network.

Distributed network encryption addresses the complexity of applying encryption broadly, making it available where it’s needed without disrupting operations. It will protect east/west (VM to VM) traffic from sniffing and spoofing attacks. This uses NSX network virtualization to make encryption, integrity, and authenticity checks with drag-and-drop capabilities for managing rules, keys, and remediation workflows. This is important because a hacker typically starts by gaining entry to non-critical parts of the infrastructure. Once inside the network, he or she can go looking for other more lucrative areas to exploit, often going undetected in cases where the internal security of the network is not great—a scenario Corn said is not that unusual.

He notes that networks today are so much more complex, with thousands of disparate apps running on web, app, and database servers that make it difficult to align security controls. As a result, once the network is compromised, it is relatively easy to move around.

Corn said distributed network encryption will let security admins easily apply—via point, click, and drag—default policies for protecting data in flight or at rest. “Any traffic that goes through these controls gets encrypted, authenticated, and decrypted on the other end,” explained Corn. “We’re protecting the whole thing in transit, but the whole ecosystem doesn’t have to worry about not seeing encrypted traffic,” so you can still do, for example, comprehensive deep packet inspection.  

The Changing Nature of Apps

“How we create apps has changed; the application is the network and that creates challenges,” says Guido Appenzeller, VMware Cloud and Networking CTO.

When you manually provision, set up multiple servers, configure routers and firewall rules, there is always the chance for errors. “It takes a long time, and the process is error prone, which means there is the potential for introducing security vulnerabilities,” says Appenzeller.

NSX lets you automate configuration of networks, and once that’s done you have a template with which to work. Appenzeller said one customer used NSX to help with the migration of the data center of a company it recently acquired. “With 12 templates they covered 80 percent of the hundreds of applications they were migrating over,” he said. “It was a much easier process.”

Learn more about new security innovations in virtual cloud networking, VMware’s vision for the future of networking.