VMware security is a multifaceted entity that includes core products, such as NSX, with other security offerings that enhance core products, such as AppDefense. With a combination of tools and best practices, such as regular backups, admins can employ a zero-trust policy and keep a data center safe.
Several VMware products offer data center security. NSX provides security through microsegmentation, which breaks down VMs into isolated groups, and AppDefense provides security through monitoring and automated incident response. VMware’s newer Service-defined Firewall takes pieces from both NSX and AppDefense to create a holistic security strategy that relies on the concept of zero trust.
VMware’s acquisitions of security startups such as CloudCoreo, Intrinsic and Carbon Black add further security capabilities to its product suite and prove security is a priority for the virtualization vendor.
However, these tools alone can’t fully secure a VMware environment. IT administrators must also make regular backups, test those backups routinely and create airgapped backup copies.
Security in NSX
VMware’s networking software, NSX, has security baked into its DNA. NSX provides essential networking components to a VMware software-defined data center. But NSX also possesses essential security features, particularly microsegmentation.
Microsegmentation enables admins to create and manage logically isolated security groups and offers more security than conventional IP addresses do. This approach integrates security into the workloads themselves. A microsegmented network employs a zero-trust security policy and places firewalls around individual workloads, rather than around an entire network, which means if one workload becomes compromised, it has little chance of compromising other workloads in the network.
NSX also extends security across vCenter server and the hardware. This enables disaster recovery for redundant facilities and ensures consistent security policies reflected across an entire data center.
How AppDefense fits in
Most businesses deploy too many applications for one admin to manually track and manage. VMware AppDefense is VMware’s endpoint security tool that monitors and identifies abnormal application behavior, alerts admins to potential issues and automatically remediates problems.
AppDefense relies on the concept of the intended state of a workload or application. This intended state defines normal patterns of behavior for a VM by taking an inventory of all VMs inside a data center. An intended state engine (ISE) automates this process of determination. The ISE communicates with configuration management systems and application automation frameworks, which enables AppDefense to gather information about apps, workloads and underlying OSes.
AppDefense also automates incident response. It can send alerts to admins when VM behavior deviates from the intended state, but it can also take automatic remediation steps, such as quarantining a problematic VM, powering a VM off or deleting a VM.
Introducing the Service-defined Firewall
VMware’s Service-defined Firewall runs in the hypervisor and uses NSX’s application visibility and AppDefense’s understanding of the intended state. It inspects the security of an entire network in a holistic context.Alongside its development of NSX, AppDefense and Service-defined Firewall, VMware has made several key acquisitions.
This firewall adapts and can perform numerous automated security functions, such as locking down apps, data and users. This ensures highly distributed security and protects both the perimeter of a network from external attackers, as well as internal assets from an attack that gets past the perimeter.
Most firewalls employ a binary enforcement strategy by either blocking or allowing data. The Service-defined Firewall can block, allow or quarantine certain information, depending on what admins deem appropriate, which makes it more challenging for bad data disguised as good data to slip past.
Although VMware’s Service-defined Firewall is still new, more than 10,000 customers use it. A test run by Verodin, a cybersecurity validation company based out of McLean, Va., concluded that Service-defined Firewall could detect and prevent 100% of the malicious attacks tested against it.
Key security market moves
As the security market evolves, VMware intends to gain traction and bolster its reputation. Alongside its development of NSX, AppDefense and Service-defined Firewall, VMware has made several key acquisitions. In 2018 and 2019, it acquired CloudCoreo, Intrinsic and Carbon Black and added further security capabilities to its product line.
CloudCoreo secures cloud environments. It offers configuration and vulnerability assessments across multi-cloud environments and is designed to identify, alert and prioritize configuration problems in public cloud infrastructures. With its acquisition, VMware hoped to build security directly into cloud services.
Intrinsic focuses on application runtime security. Its software secures serverless workloads, and its virtualization technology protects applications written in a JavaScript framework through policies set by users. It integrates with AWS Lambda, Azure Functions and Google Cloud Functions.
At VMworld 2019 in August, VMware confirmed its purchase of endpoint security company Carbon Black, which it hopes will further bolster its cybersecurity reputation. Carbon Black develops cloud-native endpoint security software designed to detect malicious data and behavior. It provides antivirus technology and delivers endpoint remediation, alert monitoring, threat hunting and incident response.
Prepare for and respond to breaches
Security tools and features alone can’t keep a data center safe from everything. Proper security requires vigilance and work on the part of admins, too. Even if security fails and a data center falls prey to an attack such as a CryptoLocker virus, admins can take various steps to protect data.
Admins should routinely test backups to ensure they work as planned. Hackers often deploy malware to target backup systems before deploying a virus to a data center at large. Antimalware and antivirus technologies can scan backups and replications for malware, but admins should test these, too, before relying on them.
Admins can also airgap their backups. This means keeping specific backup copies offline to use if online backup systems are compromised. Admins risk losing a lot of data if they don’t make airgapped copies frequently. Although storage constraints often limit what admins can back up, this strategy is the most efficient method to protect data from an attacker.
