Security is not just about the perimeter any more. Not when you have applications virtualised in the cloud, each with their own policies.
Bruce Davie, vice president and chief technology officer of VMware Asia Pacific and Japan, talked to us about securing themselves in a multi-cloud era, how they can tailor their existing strategies to serve security and why they need to be more agile in their approach.
Davie comes from a networking background within the company, but through the 2012 acquisition of Nicira, the company started to fuse security and networking together through software-defined networking - a partnership that is very tightly coupled.
For its NSX solution, VMware leverages its direct relationships with customers to establish product understanding. After there is better understanding about the products, they are then sold through the channel.
Maintaining security across private, hybrid and public clouds as well as the data centre can be a challenge. They all provide different capabilities in both networking and security. VMware is able to provide a common layer that can be managed according to individual organisations' policies.
"What we've realised is that we have a bigger security opportunity than what we do with network virtualisation. We are in the middle of everything applications are doing," Davie says.
"If somebody provisioned the virtual machine (VM) to be a web server, you know the processes it should be running, you know what typical behaviour looks like, and you can monitor that from within the hypervisor. If it starts doing something that isn't a web server, you can actually raise an alert. We're moving beyond the network view of security to an IT-wide view of security where the virtualisation layer can be used to really change security."
When you think about traditional security, it involves large, flat zones of trust where everything can communicate with each other. That tactic is what attackers have exploited to get malware into those zones.
"The basic problem is that we've focused a lot of energy on securing the perimeter of the data centre to prevent anything bad getting in. But the attacker only has to be successful once and the perimeter has to be successful 100% of the time defending against those attacks. In any enterprise today, there's data that somebody will pay money for," he says.
Davie believes that organisations have been securing the wrong thing. Instead of securing the perimeter which is the thing you can see, it's an illusion. In the modern world there are applications running in the cloud; there are things on SaaS applications; on AWS.
Securing such a varied perimeter seems impossible. Davie says we should focus on protecting the data, the users and the applications.
"Virtualisation is not arbitrary communication between a set of things in a zone. It's a specific communication path between this VM and that VM. This is what we call micro-segmentation: The ability to precisely define exactly what can communicate with what."
Davie says that it's easier to let applications sit on top of a virtualisation layer. That layer sits on top of the infrastructure. Because businesses care about the applications, it's the virtualisation layer that supports them.
"If there are three VMs that constitute an application and I want to put a wrapper around those and say 'if anything wants to come through here, it has to come through a very specific entry point."
"Virtualisation gives you a set of tools for what access exists for a particular piece of data. That is much more sensitive than trying to control physical infrastructure."
Taking that to the C-level executives takes a strategic approach. Davies says they're thinking about moving quickly to avoid competitive disruption. Public cloud is alluring - but at the same time, they're concerned about the effects of hacking.
"The C-level wants his business to move faster and still wants all the things from the IT team like managing costs and staying compliant. Historically there has been conflict between moving quickly and being secure. The IT teams then have to figure out how balance the two."
From internal IT teams to the security landscape in general, Davie says that there are thousands are security vendors, many of which are VMware partners. Davie says it's not about trying to displace them, but leverage each partner's strengths.
"Whether it's using the hypervisor to provide data to an otherwise blind firewall, Davie says it's about using VMs that complement partners so they can do the better job. We can not only change the way we approach security but the way our partners change security."
Security needs to change as the threat landscape does, and Davie says cloud is not the major risk it has been made out to be.
"There's a tendency to view the cloud as a security risk, but we should view the cloud as a security opportunity. We're now bringing technologies to the table that let you do a better job of security through virtualisation," he concludes.