Allwyn Sequeira, VP Security & Network Solutions, VMware
I’m just winding down from a whirlwind trip through VMworld 2010 – days filled with sessions and meetings, and nights filled with celebratory events! Nice to see that the show continues to be very technology focused, with participants from around the world eager to learn and share the advances being made on so many fronts.
Security was a major theme this year, driven by three major forces:
Enterprises are well down the path of virtualization, and as more critical assets get virtualized, security and compliance come to the fore.
With so much interest in the benefits of cloud computing and infrastructure as a service, secure multi-tenancy is a top of mind issue.
The security industry itself has been under siege for a while now, trying to keep up with the ever increasing volume of threats, while trying to avert endpoint and network bottlenecks. Virtualization and the associated scale out, agile architectures hold promise to achieve “better security with virtualization”.
VMware launched 3 products under the vShield umbrella, to secure virtualized environments all the way from the edge to the endpoint:
vShield Endpoint: Enables offloading guest security agents to per-host security VMs.
vShield App: Virtualizes network security, and enables mixed trust zones per host.
vShield Edge: Virtualizes data center edge services i.e. FW, NAT, DHCP, VPN & Load Balancer.
A quick note on the vShield concept – these represent purpose-built, security VMs, that are distributed across the cluster in a scale out fashion, and are proximate to the resources being protected, while taking advantage of virtualization concepts like introspection, programmable insertion and mobile policies. We believe “virtual shields” are a key element of next generation security architectures, and where existing, static, scale-up firewalls and security devices/agents need to head, to take advantage of the VMware stack.
The vShield product line is managed by vShield Manager, which represents VMware’s point of integration for its security and wiring products. vShield Manager exposes all of the vShield product line features through the vShield API set, which is a RESTful set of APIs. vCloud Director, for example, integrates some of the vShield Edge capability, into its provisioning portal.
We announced partnerships around the vShield Manager concept with Cisco, Intel, McAfee, RSA, Symantec and Trend Micro, to further work towards presenting a unified security framework for VMware’s customers. We believe the framework and partnerships will significantly simplify security architectures for our customers, and leave us well poised to move to secure hybrid clouds.
The products were well received, and it was nice to see the vShield products get Best of Show for Security!
A quick note on some of the sessions I was involved with:
In my session SE8389 - Architectural Overview of Virtualization Security for the Private Cloud, we talked through our rationale & strategy for VMware security, with the vShield products representing a significant step in this direction. Whilst there is a lot of talk about public clouds, the bigger story is enterprises taking advantage of the benefits of cloud computing, by embracing secure hybrid clouds. From a security vantage point, we talked about four key areas we’re investing in, to make this happen:
Virtualize security: The first step is virtualizing security hardware, and guest security agents. Much like server, desktop, storage and network virtualization led to disruptive architectures, likewise security virtualization will dramatically accelerate the journey to secure clouds.
Build in security into the 3 layer VMware stack: We need to weave in security into the 3 layers of the virtualization/cloud stack i.e. cloud infrastructure, cloud apps, and end user computing. Different layers demand different areas of focus, all the way from roots of trust, end point security, virtualization infrastructure security, to app/data/id based security and edge security.
Create a unified framework to tie together policies and trust zones: Rather than have tens of solutions hit the customer, it is important to tie these together in a unified fashion. We believe some of the key notions are “Trust Zones”, “Policy-based security” and “RESTful Services”.
Make Secure VDCs (Virtual Data Centers) the next unit of virtualization and cloud computing: Once the above constructs are in place, we can encapsulate VMs, their wiring and their security policies into a higher level “Secure VDC” construct, that can be built, instantly stood up, migrated, federated, etc. Visio diagrams come to life!
SE8520 - Panel Discussion - Private Cloud - Virtualization Security and Compliance, Meeting PCI Standards
This was a nice, relaxed session with lot’s of audience participation, talking through issues of compliance in the virtualization and cloud world, with industry experts Neil MacDonald from Gartner, Bret Hartman from RSA, and Christopher Hoff from Cisco. Hoff did provide some comic relief, when he opened up to show a magic quadrant, carefully drawn up on his shirt. Here he is in pre-game warm-ups…
That’s about it for now. Lot’s to talk about. I’ll continue to provide more color in further posts.
Thanks, and your comments are most welcome!