In this interview, Chris King, Vice President of the Product Marketing, Networking, and Security Business Unit at VMware, discusses how a software-defined data center (SDDC) approach delivers breakthrough advances in data center agility, security, and speed.
SDxCentral: Is it possible to migrate your IT resources to virtualized environments while maintaining security and compliance control?
King: Absolutely – and even improve security while decreasing time and cost to compliance. Compute virtualization already has a large footprint in the industry, and customers have made the transition with great success, even for critical, regulated, and security-sensitive workloads. Network virtualization does for the network what server virtualization did for the compute infrastructure.
There is one interesting addition to the known benefits of virtualization, which include more efficient use of resources, provisioning speed and agility, and simplified and more efficient operations. Network virtualization delivers a data center networking environment that is fundamentally more secure. With network virtualization, security is built into the network itself!
Isolation and segmentation are accepted approaches to limiting scope. Hardware networks could be built with air gaps and heavy use of east-west firewalling, but this has been rejected by most organizations as too cumbersome, costly, and sluggish for modern data center environments. In contrast, virtualized networks are isolated from each other and from the physical network by default, and they enable software-based network micro-segmentation without significant operator overhead.
This enables organizations to segment data center networks based on logical instead of physical boundaries (applications and compliance scopes instead of physical network location) and to automate the alignment of controls and policies to those logical boundaries. All of this dramatically simplifies costs and complexity of compliance. Ultimately, software-defined data centers (SDDCs) and network virtualization enable us to create “least privilege” or zero-trust environments that are easier to secure and harder to breach.
What are some considerations for how to best support security and networking teams when migrating to SDDC environments?
King: The vision of the SDDC (across compute, network, storage, security, and operations) encompasses a data center environment that enables organizations to spin up entire application environments that are connected, provisioned, secure, and operational – in minutes.
Obviously, NSX focuses on the networking and security aspect. NSX network virtualization overlays onto any existing networking infrastructure and works with any topology – from traditional three-tier to next-generation fabric architectures. Similarly, networking and security operators can continue to use familiar tools and workflows. In fact, separation of duties between the NSX operator and network operators and security operators is fully preserved, so SDDCs using NSX require minimal changes to the physical infrastructure or to administrative domains.
To enable companies to optimize the deployment of their SDDC environments, VMware has worked closely with its NSX customers to develop a multi-dimensional operational plan that spans people, processes, organizational structures, tooling, architecture, and infrastructure to define a set of best-practices. These best-practices are templates based on customer production experiences that you can adapt to your company’s specific characteristics, objectives, and success metrics. (Please find a summary here.)
What’s the impact of micro-segmentation on the day-to-day operations of security operations teams when moving to an SDDC?
King: With the exception of the policy definition phase – when the security policy for an application is defined to specify application type, risk profile, compliance and regulatory requirements, etc. – the deployment and on-going management of micro-segmentation has no impact on day-to-day operations of security operations teams.
Policy definition is an upfront activity performed by security architects with the benefit of the application owner’s guidance. Once completed, security operators can leverage NSX micro-segmentation for automating control and visibility of workloads in virtual environments. They can implement security controls for every workload as defined by policy; automatically assign security groups and policy-based context rather than just physical topology; and do policy updates based on context from advanced services such as malware or vulnerability assessment.
Another advantage of micro-segmentation is that security operators can automatically provision security services at the same time that virtual machines are provisioned – so for the first time there is no lag, and applications can be rapidly deployed.
NSX micro-segmentation makes it possible for security operations teams to scale, simplify, and de-risk their security operations without disruption to their existing tools or operations. The NSX distributed platform enables transparent insertion of partner services, and VMware has teamed with best-of-breed partners to ensure that the products and tools that security teams use are integrated into the NSX platform.
We have partnered with HyTrust to enable granular security operations and segmentation of operator rules to ensure that only authorized operators can perform specific functions and policy updates. Operators can implement role-based access control policies, ensure operational and monitoring duties are separate, and provide control and visibility into operations on logical switches, routers, and firewalls.
We have discussed the impact of micro-segmentation on security, but how about compliance?
King: Network segmentation is inherently compliant. Most regulations and auditors recognize network segmentation as a legitimate means of limiting scope. NSX makes fine-grained network segmentation operationally feasible, enabling organizations to easily limit scope and automate controls across regulated workloads. NSX provides a consistent framework for attaching controls based on defined scopes – enabling the appropriate alignment of controls across multiple compliance targets on the same converged infrastructure.