European firms see value in ‘known good’ approach to security

In a drive to capitalise on its market position in virtualisation software, VMware is seeking to make inroads into the security market by supporting a new approach to security that focuses on applications and enabling developers and employees to work unimpeded by security.

To support this approach, VMware recently launched the industry’s first service-defined firewall to protect apps and data on-premise and in the cloud by drawing on VMware NSX and VMware AppDefense to combine application visibility and understanding of known good application behaviour with intelligent, automated and adaptive firewalling capabilities.

According to the official announcement, VMware’s service-defined firewall is an internal firewall system that locks down “known good” behaviour at the network and host level to reduce the attack surface by disallowing anything that does not conform to that “known good” behaviour.  

Businesses should focus on what is good about their security strategy because battling the bad is a fight that organisations will never win, according to Tom Gillis, senior vice-president and general manager of VMware’s networking and security business unit.

“This approach represents a more practical and ultimately successful method for security moving forward because the best security is the simplest security, and a lot of the known good is common sense,” he told Computer Weekly.

“We all know that binary files on production servers should never be modified, but when an attacker is able to escalate their privileges to administrator, they have full control – and that simple fact has allowed attackers to penetrate a server and maintain a presence for months.

“They can break in and stay in because they can manipulate the infrastructure – and by focusing on the known good, we can make it much harder for them to maintain persistence in the network. They are always going to find a way to crack a particular server – we want make sure they can’t stay in.”  

Most modern organisations are seeking to tap into the cost and flexibility benefits of cloud computing, but typically have a mix of private, public and hybrid cloud environments, and enforcing security policies automatically and consistently across all of these has been a top area of focus for VMware.

“Many customers understand and accept the ‘security as software’ concept, but they need to apply it across a variety of cloud environments,” said Gillis. “So we have spent the last 18 months decoupling NSX from our ESX hypervisor and it now runs everywhere you would want, covering 90% of enterprise computing platforms to provide a consistent level of security.”

A single central control pane is aimed at enabling enterprise security and network teams to set security policies and deal with exception in one place and then push them to tens of thousands of computers wherever they are running.

This security-focused evolution of VMware’s technology incorporates and builds on the capability that VMware calls “adaptive micro segmentation”, which uses VMware’s knowledge of the application and its virtualisation capability to be able to generate firewall rules automatically.

Gillis said the service-defined firewall takes the streamlined process of creating those internal barriers to the next level to create an internal firewall that can understand and inspect not just the obviously bad traffic, but also allows organisations to inspect legitimate traffic coming through normal channels to determine whether it is real user behaviour or a bot trying to steal data.

“And so we are able to identify the known good patterns of behaviour in all aspects of the network traffic for internal communication,” he said.

“For an internal firewall, when you are dealing with server-to-server traffic – these are not unknown hosts – these are extremely well-known hosts. We know everything about this application, and so it allows us to be very prescriptive about what these hosts should be doing and therefore identify things that are outside of that envelope of ‘known good’ and it allows us to distribute this internal firewall everywhere the application resides.

“So we are not hair-pinning traffic over to some magic box that’s figuring out yes or no – we build this into the software, into the hypervisor and it runs everywhere the application runs.”

As a result, said Gillis, organisations are able to provide the same self-service experience for developers on private clouds and on-premise infrastructure that they get with public clouds, where things are highly automated.

“A developer can launch a full workload with a single click, without opening any tickets, without getting any help from IT, and by making security policies part of the software development pipeline,” said Gillis. “Any time a developer wants to launch a new workload, that policy is already part of the code base and it is automatically deployed.

“It allows businesses to move at the speed of their software developers and not be tied down to a ticketing system where it takes weeks to open a firewall instead of a fraction of a second.”

This is enabled by the fact that all stakeholders can agree on what the policy is ahead of time that is coded up in software through NSX and then, when a developer wants to launch a new workload, they just click a button because those policies are pre-defined and available in software.

“European customers in particular are saying that is awesome because they want that flexibility, agility and innovation, but need it to reside in their datacentre because of Europe’s privacy laws and security concerns and there is frequently an economic advantage to doing it yourself,” said Gillis.

“We enable organisations to have that level of automation in whatever form of cloud they choose, but with a consistent set of security controls that are all fully automated.”