VMware boosted its cloud-native security capabilities at VMworld with a new API security product and posture management services across Kubernetes clusters.

VMware Tanzu Service Mesh Enterprise edition discovers and secures APIs across multi-cloud environments, and it’s based on technology that VMware acquired last year when it bought Mesh7.

Mesh7 built a platform that collects and correlates contextual data from APIs, host processes, user identities, public cloud data-event logs, and threat intelligence, and then it continually monitors applications for any API vulnerabilities and behavioral changes that could indicate a breach.

Also, it’s built on Envoy, an open source service mesh substrate — and this is particularly important to VMware because Envoy is a foundational component of its Tanzu Service Mesh, which provides connectivity and security for microservices across Kubernetes clusters and clouds.

The new API security capabilities help both developers and security teams to better understand when, where, and how APIs are communicating. In a press conference with reporters, VMware security chief Tom Gillis likened it to the east-west security controls that VMware already provides for data center network traffic via its NSX networking and security portfolio. This includes a distributed security architecture that puts capabilities such as internal and web application firewalls, microsegmentation, intrusion detection and prevention systems, and network traffic analysis into the virtualization layer.

Now, with Tanzu Service Mesh, “we have east-west controls for containers,” said Gillis, SVP and GM for network and security at VMware. This technology gives VMware “the ability to look at the inner workings of a cloud-native application,” he added. “We have the ability to understand the APIs that these hundreds or thousands of microservices are using, and we can protect those APIs in a really unique way.”

API calls represent 83% of all web traffic, and because of this, securing APIs becomes increasingly important, which is why VMware bought Mesh7, Gillis said in an earlier interview with SDxCentral.

But in addition to providing visibility across and securing APIs, there’s another piece to securing cloud-native applications, Gillis said during the VMworld press conference. “Once this application gets up and running, how do we ensure that it stays secure throughout its lifecycle?”

For this piece, VMware announced that CloudHealth Secure State now provides Kubernetes Security Posture Management (KSPM), which includes visibility into misconfiguration vulnerabilities across both Kubernetes clusters and connected public cloud resources. The Secure State KSPM feature supports 176 rules including CIS Benchmarks for managed services such as Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE).

“We have a unique Kubernetes Security Posture Management that allows us to understand what’s happening in running, and then ensure that we don’t have configuration drift and misconfiguration,” Gillis said. “From cradle to grave, we can ensure the security of the cloud-native portfolio.”

VMware also today announced other updates to its security business, and this includes what it calls elastic application security edge or EASE (pronounced “easy”). This enables the networking and security infrastructure at the data center or cloud edge to adjust as app traffic changes by using a combination of VMware’s data plane services for networking, security, and observability, along with its scale-out distributed architecture.

Gillis said this enables a customer’s EASE environment to grow and shrink as app needs change using software instead of hardware. “We can scale the app itself, but we also can scale the infrastructure — the firewall, the load balancer can get bigger or smaller to meet the needs of the application,” he explained. “It’s all done in software, you don’t have to go out [and] buy more expensive proprietary appliances.”

VMware also highlighted a series of capabilities that it says make protection against ransomware attacks faster to deploy. Carbon Black Cloud can now be enabled with a switch in vCenter. The vendor claims VMware Carbon Black Cloud records 1.2 trillion security events per day on average and helped stop more than 1 million ransomware attacks over a recent 90-day period.

Additionally, VMware Cloud Disaster Recovery helps customers recover their business more quickly following an attack and thus puts them in a better position to avoid paying the ransom, according to the vendor.

For distributed workforce security, VMware’s secure access services edge (SASE) platform added an inline cloud access service broker (CASB) service for visibility and control over app access. This allows customers to apply role-based access policies to cloud-delivered apps and identify unsanctioned apps.

In the future, VMware plans to add data loss prevention capabilities to help organizations better comply with HIPAA, GDPR, PCI and other data privacy laws by preventing sensitive data from leaving pre- defined environments.

Additionally, a new Workspace One compliance engine can examine thousands of posture checks on devices, operating systems, and apps. VMware says this enables desired state and can perform remediation with minimal impact on end-user experience. Additionally, VMware Carbon Black integrates with Workspace One and is now optimized for Horizon virtual desktop infrastructure (VDI) environments.

And finally, VMware and Intel are working on a product they say will help secure edge environments starting from the silicon and extending to devices and apps. It will create a direct link between the Intel vPro platform and VMware Workspace ONE to enable automated out-of-band maintenance that keeps PCs up to date on security patches and infosec policies no matter where they are located or the state of the operating system.