Well, I’m sure I’m biased, but I think the new security capabilities are potentially one of the biggest parts of the vSphere 5 release wave.
Fundamentally, just like the explosion of data has turned out to be a blessing in disguise (with the emergence of Big Data Analytics) – the fact that virtualization “broke” security models is a similar blessing.
What do I mean when I say virtualization “broke” security models? Consider the diagrams below.
Well – on the left you have the traditional security model:
- AV runs on hosts.
- Firewalls provide 5-tuple session level network perimeter security where you physically “clamp” them on key network points. Of course this can be someone logically virtualized using VLANs – but this has real practical limits that are associated with the physical infrastructure and it’s location.
- Likewise, key things like IDS and Data Loss Prevention are implemented at key network “choke points”.
Well – on the right you have the NEW security model.
- Workloads are encapsulated and very mobile – at any given point, they could potentially move across the network. Today, this is generally in the walls of the datacenter, but that is NOT explicit in the model – and over time, more dispersed and hybrid cloud use cases will continue to stretch the definition of what’s in this model.
- This demands that control functions need to be enforced and applied as part of the virtualization platform – and that policy can be applied against logical constructs – grouping of VMs, tenants.
… This demands change….
If you look at that picture, and layer on what RSA has been working on with VMware for the last 2 years, you can see material progress against that picture.
- RSA Envision is integrated with vCenter, ESX, vShield, vCloud Director (along with a ton of physical infrastructure – for example, all the EMC and Cisco components in a Vblock) for integrated Security Events and Information Management (SEIM)
- Likewise, RSA Archer can pull that all together, and inspect and report against the Governance, Risk and Compliance state of a virtualize environment – including things like geographic distribution of VMs and ESX hosts, integrated with Intel TXT. This all possible today, via API-level integration.
- SecurID can harden ESX and View.
- The new Cloud Trust Authority can provide a federated view of trust across cloud models.
What’s new today is the addition of Data Loss Prevention via embedding RSA technology in vShield App 5.0. This new capability, called Data Security can:
- Classify data within VMs
- Built-in classification against policies
- No agents or 3rd party software
- Comes “out of the box” with 80+ policies for classification
- Complete visibility into data
- Be integrated with enterprise DLP for a single end-to-end physical/virtual DLP solution.
Yes – this means that without any agent, it cracks open documents, scans their contents for all sorts of juicy stuff (scary at the same time that it’s needed):
- General keywords
- Specialized keywords
- Patterns and strings
- Proximity analysis
- “negative” rules
As an example, here, DLP can examine a PDF in a VM. Here, it’s a prescription – and it can associate the fact that there is a name in near proximity to a personal identifier, finding patterns like credit card numbers and patient IDs
One interesting “story behind the story” is just how long we’ve been working on this. If you go back and take a look at what I demonstrated at VMworld 2009 here, you can see me demonstrating a VERY early prototype of this idea. That’s one example of what I mean when I say: a) come to VMworld!; b) watch what we do/say – not everything will come to fruition, but we don’t say stuff lightly; c) imagine how hard it is to “sit” on really cool face-melting stuff like this for 2 years :-) If you look at that slide deck, you can see things that eventually made it into vCenter Operations, FAST VP/SDRS and other neato stuff… Oh what will we do in Vegas this year?!?! :-)
The other interesting “story behind the story” is the team that develops the DLP scanning engine and policy – not only making sure that vShield App 5 Data Security ensures compliance against the standards NOW, but also ensuring that as the standards are updated, that the software itself also continues to evolve to match.
It’s a bizarre mix of skills, experience and training - Knowledge Engineering Team profile:
- Work Exp: 12 years
- Certifications: 18 regulations
- Languages : Four
- Background: Linguistics, artificial intelligence, search technologies
- Education: Library sciences, Computer Science
So there you have it – compliance against standards, including data at rest – now can be embedded as a control in the cloud infrastructure itself, and that policy can be enforced/governed, and compliance against risk (including other sources of info, like Envision logs, and integration with the vSphere security and hardening best practices) can be pulled together in a single dashboard report in Archer.
If you want to give it a whirl – check it out! IF you click on the below, VMware is running a promotion of this where you can get a 50-VM pack license for vShield Data Security (thru Sept 15th!)
well written, liked the way you explained stuff, clear and not using long explanations...
Posted by: sandeep | July 12, 2011 at 07:21 PM