The traditional enterprise security model is fundamentally broken. Much of this is due to a gap between:
- What we’re trying to protect: applications and data
- Where/how we place controls to protect it: security agents on machines and security controls on the wire
- And the complexity of our hyper-connected infrastructure
To understand why, consider the following example. Imagine securing a company whose employees are all housed in a single skyscraper and who are the only tenant in that building. The guards at the front door govern access into the building and keep an eye on what looks odd in the lobby—both of which are relatively straightforward tasks. Now imagine distributing those employees so they occupy parts of floors in different buildings all over the city. And imagine we fill the remainder of each building with employees of other companies. Now buildings have employees from all different kinds of organizations—a bank, a bar, a branch office, and a bowling alley. Access control and determining what looks weird in the lobby is suddenly exponentially more complicated.
According to Tom Corn, VMware’s senior vice president and GM of security products, this hypothetical is the perfect analogy for the challenges enterprises face when securing their applications and data.
Modern data centers co-mingle thousands of applications on a common shared infrastructure, Corn says. And very few of those applications exist as monolithic stacks (the “single skyscraper” model). Applications are now distributed systems. And as application architectures shifted from monolithic stacks to distributed systems, the ability to identify and secure an application via security controls that understand a single a machine or a single network link began to unravel. The result? It’s impossible to align controls and policies to what you are actually trying to protect. It has become next to impossible to contain breaches to limited portions of our environments. And environments have become so complex that managing policy and investigating attacks becomes intractably complex.
The net result is a security model that is simply not working, and where the only thing that exceeds the growth in enterprise security spending is the growth in enterprise security losses.
But a solution is on the horizon, and much of it goes back to basics: focus on risk, focus on the applications and data, focus on cyber hygiene. These concepts are not new. What is new is the ability to make this operationally. That is the security value of the software defined data center.
Emphasizing his point, Corn says, “Reimagining the infrastructure without reimagining security would be the largest missed opportunity in the history of IT.”
A Revolution in Infrastructure
Virtualization gives organizations the ability to think differently about security. As a relatively ubiquitous abstraction layer that sits between physical infrastructure below it and the applications and data above it, it enables us to see, manage, and secure the infrastructure through the lens of the application. And it allows us to do so without having to rearchitect the applications or physical infrastructure.
For example, network virtualization enables micro-segmentation, where we can essentially compartmentalize the machines that compose an application or regulatory scope—giving it its own “virtual data center.” The result: control placement and policies are simpler, lateral movement is harder, and misconfigurations and misalignments are dramatically reduced.
Application control can also be reimagined via compute virtualization. The virtualization layer is in position to see both what’s running as well as what was provisioned (what was intended to run). It can see this, not just on a per machine basis, but on a distributed system basis, factoring in how processes communicate across machines. Virtualization can be leveraged as a flexible enforcement point,so deviations from intended state can be responded to automatically. And it can do all of this from a far safer position than an agent in the guest.
Thinking Differently About Security
The notion of using the virtual fabric as a security layer is what we refer to as “secure infrastructure.” The general idea is to use it for three things:
- Provide visibility and context of the applications and regulatory scopes running on the infrastructure
- Setup compartmentalized, least privileged environments around those applications and scopes
- Improve security controls by providing them with application context, enabling them to insert/align to those boundaries, and enabling them to leverage the infrastructure as an enforcement point
A truly Software-defined Data Center can implement this at every layer of the stack:
- Network: At the virtual network layer you can compartmentalize or segment access around applications and regulatory scopes. You can also provide insertion points for security controls to align them to those boundaries. The work we’ve done with VMware NSX and micro-segmentation is focused on these dimensions.
- Compute: At the virtual compute layer you can establish a least privilege compute stack and enforce strict application control. This can eliminate an enormous amount of the attack surface. The work we’ve done with AppDefense is focused on these dimensions.
- Data: You can also leverage this “application lens” to focus and align encryption to the applications and data. The work we’ve done embedding encryption into the virtual fabric is focused on these dimensions.
The result of all of this is to reduce the attack surface by moving us to increasingly “least privilege” environments focused around applications and data. There’s a much smaller attack surface, and the reduced complexity means far better signal to noise, and far better context for all security controls.
A New Security Paradigm
Virtualization is the key to enabling this new security model as it enables one to overlap a security architecture and orchestrate controls and policy throughout the infrastructure.
“Security ceases to be something you bolt on,” Corn says. “But rather, something you architect-in. It creates a solid foundation—one that withstands the constant change that is inevitable in any infrastructure. Without this new foundation,” Corn continues, “organizations are building cities on quicksand.”
But by leveraging the virtualization layer to overlay a security architecture focused on applications and data, organizations can once again be on solid ground, and create a defensible position.
“It is time to change the way we defend our applications and data,” Corn concludes. “Security needs to be architected-in rather than bolted on. The ability to do just that, may be one of the biggest value adds of the cloud yet. And these efforts may not make VMware a security company, but it just might make VMware the most important company for security.”