Cyber security is a constant battle, but VMware is delivering on promises it made during VMworld 2017 to simplify the security burdens on enterprise.
iTWire attended VMware chief executive Pat Gelsinger’s keynote at the company’s annual event last year, where Gelsinger stated the tech industry had failed business, with too many security products across too many segments, with too much complexity to bridge it all together. “We need to restructure security. It has to be built-in and those many components have to go away and be native components with the infrastructure itself. It has to be intrinsically built-in,” Gelsinger said.
Gelsinger committed that VMware would transform cyber security, from “chasing bad” to “ensuring good” and this philosophy is being realised in VMware NSX for vSphere 6.4, among other products.
Specifically, VMware NSX 6.4 builds on micro-segmentation to now deliver context-aware micro-segmentation.
VMware saw the virtualisation layer as the ideal place to implement this critical defence capability because NSX is close enough to the application to gain valuable context and enforce granular security, while at the same time being separate enough from the application to protect NSX from the attack surface in the event of malicious exploitation.
Beyond the architectural advantages of NSX, the product has been using attributes in the context of the application — like VM name, OS version, regulatory scope and more — to create policy. This approach enhances security, is more manageable, and can be automated, rather than basing policy on constructs like IP addresses which may change often. VMware NSX for vSphere 6.4 takes this to a higher level adding context-aware micro-segmentation, better securing applications using the full context of the application.
- Network flex app detection and enforcement at layer 7 – while NSX tools like Endpoint Monitoring look within the application, NSX now performs deep packet inspection to identify the application within the network flow. This means micro-segmentation policies from the network view don’t have to infer the application, and NSX will start with a core set of over fifty common application signatures such as HTTP, SSH and DNS, and will grow over time.
- Virtual desktop and remote session security per user – securing virtual desktops is a popular starting point for micro-segmentation where no traffic should flow between virtual desktops. However, in many environments, multiple users run desktop sessions on a single host. NSX for vSphere 6.4 can implement security in these environments based on the user and what they should be able to access. This increases security for those environments and also opens the use case to a wider variety of environments such as Citrix and Microsoft’s remote desktop.
- Application Rule Manager – VMware is seeking to model the people and processes involved in NSX deployments and micro-segmentation, in addition to making policies more intuitive and application-driven. NSX for vSphere 6.4 brings with it tools to help users be successful in their deployment. Previously Application Rule Manager pushed policies directly into distributed firewalls, and now it includes smarts to suggest rules and suggest application security groups to help build a more cohesive and manageable micro-segmentation security across the data centre. VMware reports one customer found it took 1/3rd of the time to micro-segment their applications with this release of Application Rule Manager over the previous version.
In addition, VMware NSX for vSphere 6.4 delivers many ease of use enhancements, simplifying the GUI, bring dashboard and logging enhancements, and many other operational improvements.
Other functionality includes new routing features, JSON support for custom automation, multi-site enhancements, scale improvements, greater resiliency, health check monitors, and many other improvements.
Security threats continue to evolve, but increasing sophistication of security controls is only half the battle – the solutions must also be simple to deploy and manage in order to operate at scale. VMware says these two goals were major design factors in NSX for vSphere 6.4, and it is generally available now.