VMware at RSA: Architecture Is the Key to Protecting Apps and Data

The exhibit floor of this year’s RSA Conference in San Francisco last week was full of vendors pitching the latest security products. Tom Corn, VMware’s senior vice president of security products, was there to explain why VMware could become “one of the most important companies when it comes to security,” in a presentation titled “The Future State of Security Starts with Virtualization.”

Corn sees virtualization as fundamental to better security because it can close “the architectural gap” that currently makes it so difficult for companies to stay a step ahead of the bad guys. According to Corn, the most interesting question about virtualization “is not simply ‘How do we secure virtualization? How do we secure this new layer?’ but rather ‘How do we leverage virtualization to secure things?’ That’s where I think the most interesting promise of the virtual layer lies.”

VMware is investing heavily in new ways virtualization technology can be leveraged to improve management, operations, and security. “That’s where a lot of the unique value is that we can provide, and we take this role very seriously,” said Corn during his session.

As security pros, we’re often the last people to the table after the infrastructure’s been built out, and then we’re told to secure it. That’s an incredibly difficult thing to do.

Tom Corn, SVP of Security Products

Virtualization as the Organizing Framework for Security Innovations

Virtualization is a layer in between physical infrastructure and applications. As such it provides a map—an application-oriented lens into the infrastructure—which enables IT to align security controls to protecting what matters most: the application and data. Virtualization is also the most ubiquitous infrastructure layer ever. It covers compute, network and storage, and even spans across clouds. Implementing security in the virtualization layer provides controls that can move with the application—no matter where it goes.

VMware NSX, which provides the ability to do micro-segmentation, is a perfect example of how virtualization transforms network security. At RSA, Corn provided a technology preview demonstration of distributed network encryption technology that extends the impact of virtualization to transforming data security. “Encryption is not a bad solution, but operationally it’s such a pain to use,” says Corn, because you have to make sure it doesn’t interfere with things like deep packet inspection of data flowing through the network.

Distributed network encryption will address the complexity of applying encryption broadly, making it available where it’s needed without disrupting operations. It will protect east/west (VM to VM) traffic from sniffing and spoofing attacks and will use VMware NSX network virtualization to make encryption, integrity, and authenticity checks with drag-and-drop capabilities for managing rules, keys, and remediation workflows. This is important because a hacker typically starts by gaining entry to non-critical parts of the infrastructure. Once inside the network, he or she can go looking for other more lucrative areas to exploit, often going undetected in cases where the internal security of the network is not great—a scenario Corn said is not that unusual.

He notes that networks today are so much more complex, with thousands of disparate apps running on web, app, and database servers that make it difficult to align security controls. As a result, once you’ve compromised a network, it’s relatively easy to move around.

Corn said distributed network encryption will let security admins easily apply—via point, click, and drag—default policies for protecting data in flight or at rest. “Any traffic that goes through these controls gets encrypted, authenticated, and decrypted on the other end,” explained Corn. “We’re protecting the whole thing in transit, but the whole ecosystem doesn’t have to worry about not seeing encrypted traffic,” so you can still do, for example, comprehensive deep packet inspection.  

VMware NSX Tops the Charts

Also at RSA Conference, Guido Appenzeller, Chief Technology Strategy Officer, NSBU at VMware, discussed the benefits of VMware NSX. One is the ability to automate the configuration of networks.

“How we create apps has changed; the application is the network and that creates challenges,” said Appenzeller. When you manually provision, set up multiple servers, configure routers and firewall rules, there is always the chance for errors. “It takes a long time, and the process is error prone, which means there is the potential for introducing security vulnerabilities,” noted Appenzeller.

But VMware NSX lets you automate configuration of networks, and once that’s done you have a template with which to work. Appenzeller said one customer used NSX to help with the migration of the data center of a company it recently acquired. “With 12 templates they covered 80 percent of the hundreds of applications they were migrating over,” he said. “It was a much easier process.” This could be why, as Corn later announced, NSX may soon supplant the incredibly successful vSphere platform as VMware’s fastest growing product ever.

You can view Corn’s full session at RSA here, and Appenzeller’s full session here. You can also read a recap and view highlights of CEO Pat Gelsinger’s RSA keynote here.